diff --git a/integrations/.gitignore b/integrations/.gitignore index ee1a01f52633d..1520d292b6640 100644 --- a/integrations/.gitignore +++ b/integrations/.gitignore @@ -1,6 +1 @@ -elastic -opensearch -splunk -common -config docker/certs \ No newline at end of file diff --git a/integrations/README.md b/integrations/README.md index ae3253b8547b8..366f7b0648feb 100644 --- a/integrations/README.md +++ b/integrations/README.md @@ -34,4 +34,6 @@ As a last note, we would like to point out that we also use this Docker environm ### Other integrations -TBD +#### Integrations with Splunk, Elastic and OpenSearch + +Check the [external](./external) folder. \ No newline at end of file diff --git a/integrations/external/.env b/integrations/external/.env new file mode 100644 index 0000000000000..6d9a61c5d1864 --- /dev/null +++ b/integrations/external/.env @@ -0,0 +1,41 @@ +WAZUH_VERSION=4.3.10 +ELASTIC_PASSWORD=changeme + + +## ELASTIC STACK +# Password for the 'kibana_system' user (at least 6 characters) +KIBANA_PASSWORD=kibana_system + +# Version of Elastic products +STACK_VERSION=8.6.2 + +# Set the cluster name +CLUSTER_NAME=docker-cluster + +# Set to 'basic' or 'trial' to automatically start the 30-day trial +LICENSE=basic +#LICENSE=trial + +# Port to expose Elasticsearch HTTP API to the host +ES_PORT=9201 +#ES_PORT=127.0.0.1:9200 + +# Port to expose Kibana to the host +KIBANA_PORT=5602 +#KIBANA_PORT=80 + +# Increase or decrease based on the available host memory (in bytes) +MEM_LIMIT=1073741824 + +## OPENSEARCH STACK +#Stack version +OS_VERSION=2.6.0 + +#Opensearch port +OS_PORT=9202 + +#Opensearch dashboard port +OSD_PORT=5603 + +SPLUNK_FORWARDER_URL=https://download.splunk.com/products/universalforwarder/releases/9.0.4/linux/splunkforwarder-9.0.4-de405f4a7979-linux-2.6-amd64.deb +LOGSTASH_URL=https://artifacts.elastic.co/downloads/logstash/logstash-8.6.2-linux-x86_64.tar.gz \ No newline at end of file diff --git a/integrations/external/README.md b/integrations/external/README.md new file mode 100644 index 0000000000000..a35998436a27d --- /dev/null +++ b/integrations/external/README.md @@ -0,0 +1,75 @@ +# Wazuh integrations + +This folder contains a Docker compose project to test integrations with Splunk and Elasticsearch, from the Wazuh Indexer as well as from the Wazuh manager. + +## Services + +The Docker Compose project contains these services: + +- 1x Splunk Indexer 9.0.4. +- 1x Wazuh stack (indexer, dashboard and manager). The manager container also has a Splunk Forwarder and a Logstash installation in the `/opt` folder. +- 1x Elastic stack (Elasticsearch, Kibana and the setup container). +- 1x OpenSearch stack (OpenSearch and OpenSearch Dashboards). +- 1x Logstash 8.6.2. +- 1x Generator, to generate the certificates and download the required packages. + +### Additional content + +- Dashboards for Splunk, Kibana and OpenSearch +- Sample alerts for the last 7 days after starting the environments. Those are inside the `wazuh-manager` in `/var/ossec/logs/alerts/sample_alerts.json` and also in the `alerts.json` file merged with the non-sample data. + +## Requirements + +Installed and working installations of: + +- Docker. +- Docker compose. + +## Usage + +The **.env** file contains variables used to configure the environment, such as component versions, forwarded ports and initial credentials. Modify it as required. + +Start all the containers running `docker compose up -d`. It is necessary to manually start the Splunk integration in the manager container by running `/opt/splunkforwarder/bin/splunk start --accept-license`. To stop the environment, use `docker compose down`. + +The Splunk Indexer instance is accessible on https://localhost:8000, credentials `admin:password`. In this instance, the logs imported from the Wazuh Indexer are in the `main` index, and the logs imported from the manager are in the `wazuh-alerts` index. + +The Wazuh Dashboard instance is accessible on https://localhost:5601 credentials `admin:SecretPassword`. + +The Kibana instance is accessible on http://localhost:5602 credentials `elastic:changeme`. In this instance, the logs imported from the Wazuh Indexer are in the `indexer-wazuh-alerts-4.x-` index, and the logs imported from the manager are in the `wazuh-alerts-4.x-` index. + +The OpenSearch dashboards instance is accessible on http://localhost:5603 credentials `admin:admin`. In this instance, the logs imported from the Wazuh Indexer are in the `indexer-wazuh-alerts-4.x-` index, and the logs imported from the manager are in the `wazuh-alerts-4.x-` index. + +The integration from the manager contains sample data, and also the alerts that are generated. The integration from the indexer will not contain any sample data. Additionally, the dashboards for all the platforms will only work with the index `wazuh-alerts...`, meaning that they will not reflect the data generated from the Indexer integration. + +## Importing the dashboards + +### Splunk + +The dashboards for Splunk are located in `extra/dashboards/Splunk`. The steps to import them to the indexer are the following: + +- Open a dashboard file and copy all its content. +- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`. +- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the copied content from the dashboard file. After that, click on `Back` and click on `Save`. +- Repeat the steps for all the desired dashboards. + +### Elastic + +The dashboards for Elastic are located in `docker/integrations/extra/dashboards/elastic`. The steps to import them to the indexer are the following: + +- On Kibana, expand the left menu, and go to `Stack management`. +- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. It is possible to import only the desired dashboard, or the file `all-dashboards.ndjson`, that contains all the dashboards. +- Click on Import. +- Repeat the steps for all the desired dashboards. + +Imported dashboards will appear in the `Dashboards` app on the left menu. + +### OpenSearch + +The dashboards for OpenSearch are located in `docker/integrations/extra/dashboards/opensearch`. The steps to import them to the indexer are the following: + +- On OpenSearch Dashboards, expand the left menu, and go to `Stack management` +- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. It is possible to import only the desired dashboard, or the file `all-dashboards.ndjson`, that contains all the dashboards. +- Click on Import. +- Repeat the steps for all the desired dashboards. + +Imported dashboards will appear in the `Dashboards` app on the left menu. diff --git a/integrations/external/config/certs/ca.json b/integrations/external/config/certs/ca.json new file mode 100644 index 0000000000000..8a96a70a42c42 --- /dev/null +++ b/integrations/external/config/certs/ca.json @@ -0,0 +1,15 @@ +{ + "CN": "Wazuh", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "San Francisco", + "O": "Wazuh", + "OU": "Wazuh Root CA" + } + ] +} diff --git a/integrations/external/config/certs/cfssl.json b/integrations/external/config/certs/cfssl.json new file mode 100644 index 0000000000000..d23daf762100e --- /dev/null +++ b/integrations/external/config/certs/cfssl.json @@ -0,0 +1,58 @@ +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "intermediate_ca": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "cert sign", + "crl sign", + "server auth", + "client auth" + ], + "expiry": "8760h", + "ca_constraint": { + "is_ca": true, + "max_path_len": 0, + "max_path_len_zero": true + } + }, + "peer": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth", + "server auth" + ], + "expiry": "8760h" + }, + "server": { + "usages": [ + "signing", + "digital signing", + "key encipherment", + "data encipherment", + "server auth" + ], + "expiry": "8760h" + }, + "client": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth" + ], + "expiry": "8760h" + } + } + } +} + diff --git a/integrations/external/config/certs/host.json b/integrations/external/config/certs/host.json new file mode 100644 index 0000000000000..27805da58e16f --- /dev/null +++ b/integrations/external/config/certs/host.json @@ -0,0 +1,19 @@ +{ + "CN": "HOST", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "California", + "O": "Wazuh", + "OU": "Wazuh" + } + ], + "hosts": [ + "HOST", + "localhost" + ] +} diff --git a/integrations/external/config/logstash/es_template.json b/integrations/external/config/logstash/es_template.json new file mode 100644 index 0000000000000..1fee33afc4da8 --- /dev/null +++ b/integrations/external/config/logstash/es_template.json @@ -0,0 +1,2039 @@ +{ + "index_patterns": "wazuh-*", + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "include": { + "_tier_preference": "data_content" + } + } + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "refresh_interval": "5s", + "number_of_shards": "3", + "auto_expand_replicas": "0-1", + "query": { + "default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.extra_data", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.cve", + "data.vulnerability.cvss.cvss2.base_score", + "data.vulnerability.cvss.cvss2.exploitability_score", + "data.vulnerability.cvss.cvss2.impact_score", + "data.vulnerability.cvss.cvss2.vector.access_complexity", + "data.vulnerability.cvss.cvss2.vector.attack_vector", + "data.vulnerability.cvss.cvss2.vector.authentication", + "data.vulnerability.cvss.cvss2.vector.availability", + "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss2.vector.integrity_impact", + "data.vulnerability.cvss.cvss2.vector.privileges_required", + "data.vulnerability.cvss.cvss2.vector.scope", + "data.vulnerability.cvss.cvss2.vector.user_interaction", + "data.vulnerability.cvss.cvss3.base_score", + "data.vulnerability.cvss.cvss3.exploitability_score", + "data.vulnerability.cvss.cvss3.impact_score", + "data.vulnerability.cvss.cvss3.vector.access_complexity", + "data.vulnerability.cvss.cvss3.vector.attack_vector", + "data.vulnerability.cvss.cvss3.vector.authentication", + "data.vulnerability.cvss.cvss3.vector.availability", + "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss3.vector.integrity_impact", + "data.vulnerability.cvss.cvss3.vector.privileges_required", + "data.vulnerability.cvss.cvss3.vector.scope", + "data.vulnerability.cvss.cvss3.vector.user_interaction", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.source", + "data.vulnerability.package.architecture", + "data.vulnerability.package.condition", + "data.vulnerability.package.generated_cpe", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.rationale", + "data.vulnerability.severity", + "data.vulnerability.title", + "data.vulnerability.assigner", + "data.vulnerability.cve_version", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.mitre.id", + "rule.mitre.tactic", + "rule.mitre.technique", + "rule.pci_dss", + "rule.hipaa", + "rule.nist_800_53", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.mode", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] + }, + "number_of_replicas": "0" + } + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword" + } + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "text" + } + } + }, + "agent": { + "properties": { + "id": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "node": { + "type": "keyword" + } + } + }, + "command": { + "type": "keyword" + }, + "data": { + "properties": { + "action": { + "type": "keyword" + }, + "audit": { + "properties": { + "acct": { + "type": "keyword" + }, + "arch": { + "type": "keyword" + }, + "auid": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "cwd": { + "type": "keyword" + }, + "dev": { + "type": "keyword" + }, + "directory": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { + "properties": { + "a0": { + "type": "keyword" + }, + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "accountId": { + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "createdAt": { + "type": "date" + }, + "dstaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "log_info": { + "properties": { + "s3bucket": { + "type": "keyword" + } + } + }, + "region": { + "type": "keyword" + }, + "resource": { + "properties": { + "instanceDetails": { + "properties": { + "launchTime": { + "type": "date" + }, + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } + } + } + } + } + }, + "service": { + "properties": { + "action": { + "properties": { + "networkConnectionAction": { + "properties": { + "remoteIpDetails": { + "properties": { + "geoLocation": { + "type": "geo_point" + }, + "ipAddressV4": { + "type": "ip" + } + } + } + } + } + } + }, + "count": { + "type": "long" + }, + "eventFirstSeen": { + "type": "date" + }, + "eventLastSeen": { + "type": "date" + } + } + }, + "source": { + "type": "keyword" + }, + "source_ip_address": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "start": { + "type": "date" + }, + "updatedAt": { + "type": "date" + } + } + }, + "cis": { + "properties": { + "benchmark": { + "type": "keyword" + }, + "error": { + "type": "long" + }, + "fail": { + "type": "long" + }, + "group": { + "type": "keyword" + }, + "notchecked": { + "type": "long" + }, + "pass": { + "type": "long" + }, + "result": { + "type": "keyword" + }, + "rule_title": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "timestamp": { + "type": "keyword" + }, + "unknown": { + "type": "long" + } + } + }, + "command": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "docker": { + "properties": { + "Action": { + "type": "keyword" + }, + "Actor": { + "properties": { + "Attributes": { + "properties": { + "image": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "Type": { + "type": "keyword" + } + } + }, + "dstip": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "extra_data": { + "type": "keyword" + }, + "gcp": { + "properties": { + "jsonPayload": { + "properties": { + "authAnswer": { + "type": "keyword" + }, + "queryName": { + "type": "keyword" + }, + "responseCode": { + "type": "keyword" + }, + "vmInstanceId": { + "type": "keyword" + }, + "vmInstanceName": { + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "labels": { + "properties": { + "location": { + "type": "keyword" + }, + "project_id": { + "type": "keyword" + }, + "source_type": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + } + } + }, + "github": { + "properties": { + "action": { + "type": "keyword" + }, + "actor": { + "type": "keyword" + }, + "actor_location": { + "properties": { + "country_code": { + "type": "keyword" + } + } + }, + "org": { + "type": "keyword" + }, + "repo": { + "type": "keyword" + } + } + }, + "hardware": { + "properties": { + "cpu_cores": { + "type": "long" + }, + "cpu_mhz": { + "type": "double" + }, + "cpu_name": { + "type": "keyword" + }, + "ram_free": { + "type": "long" + }, + "ram_total": { + "type": "long" + }, + "ram_usage": { + "type": "long" + }, + "serial": { + "type": "keyword" + } + } + }, + "id": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "adapter": { + "type": "keyword" + }, + "ipv4": { + "properties": { + "address": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "gateway": { + "type": "keyword" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "keyword" + } + } + }, + "ipv6": { + "properties": { + "address": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "gateway": { + "type": "keyword" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "keyword" + } + } + }, + "mac": { + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "rx_bytes": { + "type": "long" + }, + "rx_dropped": { + "type": "long" + }, + "rx_errors": { + "type": "long" + }, + "rx_packets": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "tx_bytes": { + "type": "long" + }, + "tx_dropped": { + "type": "long" + }, + "tx_errors": { + "type": "long" + }, + "tx_packets": { + "type": "long" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "office365": { + "properties": { + "Actor": { + "properties": { + "ID": { + "type": "keyword" + } + } + }, + "ClientIP": { + "type": "keyword" + }, + "Operation": { + "type": "keyword" + }, + "ResultStatus": { + "type": "keyword" + }, + "Subscription": { + "type": "keyword" + }, + "UserId": { + "type": "keyword" + } + } + }, + "os": { + "properties": { + "architecture": { + "type": "keyword" + }, + "build": { + "type": "keyword" + }, + "codename": { + "type": "keyword" + }, + "display_version": { + "type": "keyword" + }, + "hostname": { + "type": "keyword" + }, + "major": { + "type": "keyword" + }, + "minor": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "patch": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "release": { + "type": "keyword" + }, + "release_version": { + "type": "keyword" + }, + "sysname": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" + } + } + } + } + }, + "osquery": { + "properties": { + "action": { + "type": "keyword" + }, + "calendarTime": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "pack": { + "type": "keyword" + } + } + }, + "port": { + "properties": { + "inode": { + "type": "long" + }, + "local_ip": { + "type": "ip" + }, + "local_port": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "process": { + "type": "keyword" + }, + "protocol": { + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remote_port": { + "type": "long" + }, + "rx_queue": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "tx_queue": { + "type": "long" + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword" + }, + "cmd": { + "type": "keyword" + }, + "egroup": { + "type": "keyword" + }, + "euser": { + "type": "keyword" + }, + "fgroup": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "nice": { + "type": "long" + }, + "nlwp": { + "type": "long" + }, + "pgrp": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "priority": { + "type": "long" + }, + "processor": { + "type": "long" + }, + "resident": { + "type": "long" + }, + "rgroup": { + "type": "keyword" + }, + "ruser": { + "type": "keyword" + }, + "session": { + "type": "long" + }, + "sgroup": { + "type": "keyword" + }, + "share": { + "type": "long" + }, + "size": { + "type": "long" + }, + "start_time": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "stime": { + "type": "long" + }, + "suser": { + "type": "keyword" + }, + "tgid": { + "type": "long" + }, + "tty": { + "type": "long" + }, + "utime": { + "type": "long" + }, + "vm_size": { + "type": "long" + } + } + }, + "program": { + "properties": { + "architecture": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "format": { + "type": "keyword" + }, + "install_time": { + "type": "keyword" + }, + "location": { + "type": "keyword" + }, + "multiarch": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "priority": { + "type": "keyword" + }, + "section": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "source": { + "type": "keyword" + }, + "vendor": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "sca": { + "properties": { + "check": { + "properties": { + "compliance": { + "properties": { + "cis": { + "type": "keyword" + }, + "cis_csc": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + } + } + }, + "description": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "previous_result": { + "type": "keyword" + }, + "process": { + "type": "keyword" + }, + "rationale": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "registry": { + "type": "keyword" + }, + "remediation": { + "type": "keyword" + }, + "result": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "description": { + "type": "keyword" + }, + "failed": { + "type": "integer" + }, + "file": { + "type": "keyword" + }, + "invalid": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "passed": { + "type": "integer" + }, + "policy": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "scan_id": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "total_checks": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "srcip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "virustotal": { + "properties": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { + "properties": { + "alert_id": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "assigner": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cve_version": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss2": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + }, + "cvss3": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "condition": { + "type": "keyword" + }, + "generated_cpe": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "published": { + "type": "date" + }, + "rationale": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + }, + "updated": { + "type": "date" + } + } + } + } + }, + "decoder": { + "properties": { + "accumulate": { + "type": "long" + }, + "fts": { + "type": "long" + }, + "ftscomment": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "parent": { + "type": "keyword" + } + } + }, + "full_log": { + "type": "text" + }, + "host": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "location": { + "type": "keyword" + }, + "manager": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "predecoder": { + "properties": { + "hostname": { + "type": "keyword" + }, + "program_name": { + "type": "keyword" + }, + "timestamp": { + "type": "keyword" + } + } + }, + "previous_log": { + "type": "text" + }, + "previous_output": { + "type": "keyword" + }, + "program_name": { + "type": "keyword" + }, + "rule": { + "properties": { + "cis": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "firedtimes": { + "type": "long" + }, + "frequency": { + "type": "long" + }, + "gdpr": { + "type": "keyword" + }, + "gpg13": { + "type": "keyword" + }, + "groups": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "info": { + "type": "keyword" + }, + "level": { + "type": "long" + }, + "mail": { + "type": "boolean" + }, + "mitre": { + "properties": { + "id": { + "type": "keyword" + }, + "tactic": { + "type": "keyword" + }, + "technique": { + "type": "keyword" + } + } + }, + "nist_800_53": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "tsc": { + "type": "keyword" + } + } + }, + "syscheck": { + "properties": { + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "diff": { + "type": "keyword" + }, + "event": { + "type": "keyword" + }, + "gid_after": { + "type": "keyword" + }, + "gid_before": { + "type": "keyword" + }, + "gname_after": { + "type": "keyword" + }, + "gname_before": { + "type": "keyword" + }, + "hard_links": { + "type": "keyword" + }, + "inode_after": { + "type": "keyword" + }, + "inode_before": { + "type": "keyword" + }, + "md5_after": { + "type": "keyword" + }, + "md5_before": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime_after": { + "type": "date", + "format": "date_optional_time" + }, + "mtime_before": { + "type": "date", + "format": "date_optional_time" + }, + "path": { + "type": "keyword" + }, + "perm_after": { + "type": "keyword" + }, + "perm_before": { + "type": "keyword" + }, + "sha1_after": { + "type": "keyword" + }, + "sha1_before": { + "type": "keyword" + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "size_after": { + "type": "long" + }, + "size_before": { + "type": "long" + }, + "tags": { + "type": "keyword" + }, + "uid_after": { + "type": "keyword" + }, + "uid_before": { + "type": "keyword" + }, + "uname_after": { + "type": "keyword" + }, + "uname_before": { + "type": "keyword" + } + } + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "title": { + "type": "keyword" + }, + "type": { + "type": "text" + } + } + }, + "aliases": {} + }, + "version": 1 +} diff --git a/integrations/external/config/logstash/logstash-indexer.conf b/integrations/external/config/logstash/logstash-indexer.conf new file mode 100644 index 0000000000000..d79551271434d --- /dev/null +++ b/integrations/external/config/logstash/logstash-indexer.conf @@ -0,0 +1,55 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "admin" + password => "SecretPassword" + index => "wazuh-alerts-4.x-*" + ssl => true + ca_file => "/etc/ssl/root-ca.pem" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + schedule => "* * * * *" + } +} +output { + http { + format => "json" # format of forwarded logs + http_method => "post" # HTTP method used to forward logs + url => "https://splunk:8088/services/collector/raw" # endpoint to forward logs to + headers => ["Authorization", "Splunk a51ddfbd-3a69-468f-a235-e63f5d9704cc"] + cacert => "/etc/ssl/root-ca.pem" + } + elasticsearch { + hosts => "es01" + index => "indexer-wazuh-alerts-4.x-%{+YYYY.MM.dd}" + user => "elastic" + password => "changeme" + ssl => true + cacert => '/etc/certs/elastic/ca/ca.crt' + template => '/etc/logstash/es_template.json' + template_name => 'wazuh' + template_overwrite => true + } + opensearch { + hosts => ["opensearch"] + auth_type => { + type => 'basic' + user => 'admin' + password => 'admin' + } + index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" + ssl => true + cacert => "/etc/ssl/root-ca.pem" + template => '/etc/logstash/os_template.json' + template_name => 'wazuh' + template_overwrite => true + legacy_template => false + } +} diff --git a/integrations/external/config/logstash/logstash-manager.conf b/integrations/external/config/logstash/logstash-manager.conf new file mode 100644 index 0000000000000..2a2c36af8cefa --- /dev/null +++ b/integrations/external/config/logstash/logstash-manager.conf @@ -0,0 +1,40 @@ +input { + file { + id => "wazuh_alerts" + codec => "json" + start_position => "beginning" + stat_interval => "1 second" + path => "/var/ossec/logs/alerts/alerts.json" + mode => "tail" + ecs_compatibility => "disabled" + } +} +output { + elasticsearch { + hosts => "es01" + index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" + user => "elastic" + password => "changeme" + ssl => true + cacert => '/etc/certs/elastic/ca/ca.crt' + template => '/etc/logstash/es_template.json' + template_name => 'wazuh' + template_overwrite => true + } + opensearch { + hosts => ["opensearch"] + auth_type => { + type => 'basic' + user => 'admin' + password => 'admin' + } + index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" + ssl => true + cacert => "/etc/ssl/root-ca.pem" + template => '/etc/logstash/os_template.json' + template_name => 'wazuh' + template_overwrite => true + legacy_template => false + } + stdout{} +} diff --git a/integrations/external/config/logstash/os_template.json b/integrations/external/config/logstash/os_template.json new file mode 100644 index 0000000000000..1fee33afc4da8 --- /dev/null +++ b/integrations/external/config/logstash/os_template.json @@ -0,0 +1,2039 @@ +{ + "index_patterns": "wazuh-*", + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "include": { + "_tier_preference": "data_content" + } + } + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "refresh_interval": "5s", + "number_of_shards": "3", + "auto_expand_replicas": "0-1", + "query": { + "default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.extra_data", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.cve", + "data.vulnerability.cvss.cvss2.base_score", + "data.vulnerability.cvss.cvss2.exploitability_score", + "data.vulnerability.cvss.cvss2.impact_score", + "data.vulnerability.cvss.cvss2.vector.access_complexity", + "data.vulnerability.cvss.cvss2.vector.attack_vector", + "data.vulnerability.cvss.cvss2.vector.authentication", + "data.vulnerability.cvss.cvss2.vector.availability", + "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss2.vector.integrity_impact", + "data.vulnerability.cvss.cvss2.vector.privileges_required", + "data.vulnerability.cvss.cvss2.vector.scope", + "data.vulnerability.cvss.cvss2.vector.user_interaction", + "data.vulnerability.cvss.cvss3.base_score", + "data.vulnerability.cvss.cvss3.exploitability_score", + "data.vulnerability.cvss.cvss3.impact_score", + "data.vulnerability.cvss.cvss3.vector.access_complexity", + "data.vulnerability.cvss.cvss3.vector.attack_vector", + "data.vulnerability.cvss.cvss3.vector.authentication", + "data.vulnerability.cvss.cvss3.vector.availability", + "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss3.vector.integrity_impact", + "data.vulnerability.cvss.cvss3.vector.privileges_required", + "data.vulnerability.cvss.cvss3.vector.scope", + "data.vulnerability.cvss.cvss3.vector.user_interaction", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.source", + "data.vulnerability.package.architecture", + "data.vulnerability.package.condition", + "data.vulnerability.package.generated_cpe", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.rationale", + "data.vulnerability.severity", + "data.vulnerability.title", + "data.vulnerability.assigner", + "data.vulnerability.cve_version", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.mitre.id", + "rule.mitre.tactic", + "rule.mitre.technique", + "rule.pci_dss", + "rule.hipaa", + "rule.nist_800_53", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.mode", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] + }, + "number_of_replicas": "0" + } + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword" + } + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "text" + } + } + }, + "agent": { + "properties": { + "id": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "node": { + "type": "keyword" + } + } + }, + "command": { + "type": "keyword" + }, + "data": { + "properties": { + "action": { + "type": "keyword" + }, + "audit": { + "properties": { + "acct": { + "type": "keyword" + }, + "arch": { + "type": "keyword" + }, + "auid": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "cwd": { + "type": "keyword" + }, + "dev": { + "type": "keyword" + }, + "directory": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { + "properties": { + "a0": { + "type": "keyword" + }, + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "accountId": { + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "createdAt": { + "type": "date" + }, + "dstaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "log_info": { + "properties": { + "s3bucket": { + "type": "keyword" + } + } + }, + "region": { + "type": "keyword" + }, + "resource": { + "properties": { + "instanceDetails": { + "properties": { + "launchTime": { + "type": "date" + }, + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } + } + } + } + } + }, + "service": { + "properties": { + "action": { + "properties": { + "networkConnectionAction": { + "properties": { + "remoteIpDetails": { + "properties": { + "geoLocation": { + "type": "geo_point" + }, + "ipAddressV4": { + "type": "ip" + } + } + } + } + } + } + }, + "count": { + "type": "long" + }, + "eventFirstSeen": { + "type": "date" + }, + "eventLastSeen": { + "type": "date" + } + } + }, + "source": { + "type": "keyword" + }, + "source_ip_address": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "start": { + "type": "date" + }, + "updatedAt": { + "type": "date" + } + } + }, + "cis": { + "properties": { + "benchmark": { + "type": "keyword" + }, + "error": { + "type": "long" + }, + "fail": { + "type": "long" + }, + "group": { + "type": "keyword" + }, + "notchecked": { + "type": "long" + }, + "pass": { + "type": "long" + }, + "result": { + "type": "keyword" + }, + "rule_title": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "timestamp": { + "type": "keyword" + }, + "unknown": { + "type": "long" + } + } + }, + "command": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "docker": { + "properties": { + "Action": { + "type": "keyword" + }, + "Actor": { + "properties": { + "Attributes": { + "properties": { + "image": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "Type": { + "type": "keyword" + } + } + }, + "dstip": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "extra_data": { + "type": "keyword" + }, + "gcp": { + "properties": { + "jsonPayload": { + "properties": { + "authAnswer": { + "type": "keyword" + }, + "queryName": { + "type": "keyword" + }, + "responseCode": { + "type": "keyword" + }, + "vmInstanceId": { + "type": "keyword" + }, + "vmInstanceName": { + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "labels": { + "properties": { + "location": { + "type": "keyword" + }, + "project_id": { + "type": "keyword" + }, + "source_type": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + } + } + }, + "github": { + "properties": { + "action": { + "type": "keyword" + }, + "actor": { + "type": "keyword" + }, + "actor_location": { + "properties": { + "country_code": { + "type": "keyword" + } + } + }, + "org": { + "type": "keyword" + }, + "repo": { + "type": "keyword" + } + } + }, + "hardware": { + "properties": { + "cpu_cores": { + "type": "long" + }, + "cpu_mhz": { + "type": "double" + }, + "cpu_name": { + "type": "keyword" + }, + "ram_free": { + "type": "long" + }, + "ram_total": { + "type": "long" + }, + "ram_usage": { + "type": "long" + }, + "serial": { + "type": "keyword" + } + } + }, + "id": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "adapter": { + "type": "keyword" + }, + "ipv4": { + "properties": { + "address": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "gateway": { + "type": "keyword" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "keyword" + } + } + }, + "ipv6": { + "properties": { + "address": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "gateway": { + "type": "keyword" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "keyword" + } + } + }, + "mac": { + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "rx_bytes": { + "type": "long" + }, + "rx_dropped": { + "type": "long" + }, + "rx_errors": { + "type": "long" + }, + "rx_packets": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "tx_bytes": { + "type": "long" + }, + "tx_dropped": { + "type": "long" + }, + "tx_errors": { + "type": "long" + }, + "tx_packets": { + "type": "long" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "office365": { + "properties": { + "Actor": { + "properties": { + "ID": { + "type": "keyword" + } + } + }, + "ClientIP": { + "type": "keyword" + }, + "Operation": { + "type": "keyword" + }, + "ResultStatus": { + "type": "keyword" + }, + "Subscription": { + "type": "keyword" + }, + "UserId": { + "type": "keyword" + } + } + }, + "os": { + "properties": { + "architecture": { + "type": "keyword" + }, + "build": { + "type": "keyword" + }, + "codename": { + "type": "keyword" + }, + "display_version": { + "type": "keyword" + }, + "hostname": { + "type": "keyword" + }, + "major": { + "type": "keyword" + }, + "minor": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "patch": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "release": { + "type": "keyword" + }, + "release_version": { + "type": "keyword" + }, + "sysname": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" + } + } + } + } + }, + "osquery": { + "properties": { + "action": { + "type": "keyword" + }, + "calendarTime": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "pack": { + "type": "keyword" + } + } + }, + "port": { + "properties": { + "inode": { + "type": "long" + }, + "local_ip": { + "type": "ip" + }, + "local_port": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "process": { + "type": "keyword" + }, + "protocol": { + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remote_port": { + "type": "long" + }, + "rx_queue": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "tx_queue": { + "type": "long" + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword" + }, + "cmd": { + "type": "keyword" + }, + "egroup": { + "type": "keyword" + }, + "euser": { + "type": "keyword" + }, + "fgroup": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "nice": { + "type": "long" + }, + "nlwp": { + "type": "long" + }, + "pgrp": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "priority": { + "type": "long" + }, + "processor": { + "type": "long" + }, + "resident": { + "type": "long" + }, + "rgroup": { + "type": "keyword" + }, + "ruser": { + "type": "keyword" + }, + "session": { + "type": "long" + }, + "sgroup": { + "type": "keyword" + }, + "share": { + "type": "long" + }, + "size": { + "type": "long" + }, + "start_time": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "stime": { + "type": "long" + }, + "suser": { + "type": "keyword" + }, + "tgid": { + "type": "long" + }, + "tty": { + "type": "long" + }, + "utime": { + "type": "long" + }, + "vm_size": { + "type": "long" + } + } + }, + "program": { + "properties": { + "architecture": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "format": { + "type": "keyword" + }, + "install_time": { + "type": "keyword" + }, + "location": { + "type": "keyword" + }, + "multiarch": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "priority": { + "type": "keyword" + }, + "section": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "source": { + "type": "keyword" + }, + "vendor": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "sca": { + "properties": { + "check": { + "properties": { + "compliance": { + "properties": { + "cis": { + "type": "keyword" + }, + "cis_csc": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + } + } + }, + "description": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "previous_result": { + "type": "keyword" + }, + "process": { + "type": "keyword" + }, + "rationale": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "registry": { + "type": "keyword" + }, + "remediation": { + "type": "keyword" + }, + "result": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "description": { + "type": "keyword" + }, + "failed": { + "type": "integer" + }, + "file": { + "type": "keyword" + }, + "invalid": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "passed": { + "type": "integer" + }, + "policy": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "scan_id": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "total_checks": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "srcip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "virustotal": { + "properties": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { + "properties": { + "alert_id": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "assigner": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cve_version": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss2": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + }, + "cvss3": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "condition": { + "type": "keyword" + }, + "generated_cpe": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "published": { + "type": "date" + }, + "rationale": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + }, + "updated": { + "type": "date" + } + } + } + } + }, + "decoder": { + "properties": { + "accumulate": { + "type": "long" + }, + "fts": { + "type": "long" + }, + "ftscomment": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "parent": { + "type": "keyword" + } + } + }, + "full_log": { + "type": "text" + }, + "host": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "location": { + "type": "keyword" + }, + "manager": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "predecoder": { + "properties": { + "hostname": { + "type": "keyword" + }, + "program_name": { + "type": "keyword" + }, + "timestamp": { + "type": "keyword" + } + } + }, + "previous_log": { + "type": "text" + }, + "previous_output": { + "type": "keyword" + }, + "program_name": { + "type": "keyword" + }, + "rule": { + "properties": { + "cis": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "firedtimes": { + "type": "long" + }, + "frequency": { + "type": "long" + }, + "gdpr": { + "type": "keyword" + }, + "gpg13": { + "type": "keyword" + }, + "groups": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "info": { + "type": "keyword" + }, + "level": { + "type": "long" + }, + "mail": { + "type": "boolean" + }, + "mitre": { + "properties": { + "id": { + "type": "keyword" + }, + "tactic": { + "type": "keyword" + }, + "technique": { + "type": "keyword" + } + } + }, + "nist_800_53": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "tsc": { + "type": "keyword" + } + } + }, + "syscheck": { + "properties": { + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "diff": { + "type": "keyword" + }, + "event": { + "type": "keyword" + }, + "gid_after": { + "type": "keyword" + }, + "gid_before": { + "type": "keyword" + }, + "gname_after": { + "type": "keyword" + }, + "gname_before": { + "type": "keyword" + }, + "hard_links": { + "type": "keyword" + }, + "inode_after": { + "type": "keyword" + }, + "inode_before": { + "type": "keyword" + }, + "md5_after": { + "type": "keyword" + }, + "md5_before": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime_after": { + "type": "date", + "format": "date_optional_time" + }, + "mtime_before": { + "type": "date", + "format": "date_optional_time" + }, + "path": { + "type": "keyword" + }, + "perm_after": { + "type": "keyword" + }, + "perm_before": { + "type": "keyword" + }, + "sha1_after": { + "type": "keyword" + }, + "sha1_before": { + "type": "keyword" + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "size_after": { + "type": "long" + }, + "size_before": { + "type": "long" + }, + "tags": { + "type": "keyword" + }, + "uid_after": { + "type": "keyword" + }, + "uid_before": { + "type": "keyword" + }, + "uname_after": { + "type": "keyword" + }, + "uname_before": { + "type": "keyword" + } + } + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "title": { + "type": "keyword" + }, + "type": { + "type": "text" + } + } + }, + "aliases": {} + }, + "version": 1 +} diff --git a/integrations/external/config/logstash/os_templatee.json b/integrations/external/config/logstash/os_templatee.json new file mode 100644 index 0000000000000..d72904902ffc5 --- /dev/null +++ b/integrations/external/config/logstash/os_templatee.json @@ -0,0 +1,2035 @@ +{ + "order": 0, + "index_patterns": ["wazuh-alerts-4.x-*", "wazuh-archives-4.x-*"], + "settings": { + "index.refresh_interval": "5s", + "index.number_of_shards": "3", + "index.number_of_replicas": "0", + "index.auto_expand_replicas": "0-1", + "index.mapping.total_fields.limit": 10000, + "index.query.default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.cis.group", + "data.cis.rule_title", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.extra_data", + "data.gcp.jsonPayload.queryName", + "data.gcp.jsonPayload.vmInstanceName", + "data.gcp.resource.labels.location", + "data.gcp.resource.labels.project_id", + "data.gcp.resource.labels.source_type", + "data.gcp.resource.type", + "data.github.org", + "data.github.actor", + "data.github.action", + "data.github.repo", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.office365.Actor.ID", + "data.office365.UserId", + "data.office365.Operation", + "data.office365.ClientIP", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.patch", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.display_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.cve", + "data.vulnerability.cvss.cvss2.base_score", + "data.vulnerability.cvss.cvss2.exploitability_score", + "data.vulnerability.cvss.cvss2.impact_score", + "data.vulnerability.cvss.cvss2.vector.access_complexity", + "data.vulnerability.cvss.cvss2.vector.attack_vector", + "data.vulnerability.cvss.cvss2.vector.authentication", + "data.vulnerability.cvss.cvss2.vector.availability", + "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss2.vector.integrity_impact", + "data.vulnerability.cvss.cvss2.vector.privileges_required", + "data.vulnerability.cvss.cvss2.vector.scope", + "data.vulnerability.cvss.cvss2.vector.user_interaction", + "data.vulnerability.cvss.cvss3.base_score", + "data.vulnerability.cvss.cvss3.exploitability_score", + "data.vulnerability.cvss.cvss3.impact_score", + "data.vulnerability.cvss.cvss3.vector.access_complexity", + "data.vulnerability.cvss.cvss3.vector.attack_vector", + "data.vulnerability.cvss.cvss3.vector.authentication", + "data.vulnerability.cvss.cvss3.vector.availability", + "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss3.vector.integrity_impact", + "data.vulnerability.cvss.cvss3.vector.privileges_required", + "data.vulnerability.cvss.cvss3.vector.scope", + "data.vulnerability.cvss.cvss3.vector.user_interaction", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.source", + "data.vulnerability.package.architecture", + "data.vulnerability.package.condition", + "data.vulnerability.package.generated_cpe", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.rationale", + "data.vulnerability.severity", + "data.vulnerability.title", + "data.vulnerability.assigner", + "data.vulnerability.cve_version", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.mitre.id", + "rule.mitre.tactic", + "rule.mitre.technique", + "rule.pci_dss", + "rule.hipaa", + "rule.nist_800_53", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.mode", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "syscheck.arch", + "syscheck.value_name", + "syscheck.value_type", + "syscheck.changed_attributes", + "title", + "type" + ] + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "node": { + "type": "keyword" + } + } + }, + "full_log": { + "type": "text" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword" + }, + "hard_links": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "sha1_before": { + "type": "keyword" + }, + "sha1_after": { + "type": "keyword" + }, + "uid_before": { + "type": "keyword" + }, + "uid_after": { + "type": "keyword" + }, + "gid_before": { + "type": "keyword" + }, + "gid_after": { + "type": "keyword" + }, + "perm_before": { + "type": "keyword" + }, + "perm_after": { + "type": "keyword" + }, + "md5_after": { + "type": "keyword" + }, + "md5_before": { + "type": "keyword" + }, + "gname_after": { + "type": "keyword" + }, + "gname_before": { + "type": "keyword" + }, + "inode_after": { + "type": "keyword" + }, + "inode_before": { + "type": "keyword" + }, + "mtime_after": { + "type": "date", + "format": "date_optional_time" + }, + "mtime_before": { + "type": "date", + "format": "date_optional_time" + }, + "uname_after": { + "type": "keyword" + }, + "uname_before": { + "type": "keyword" + }, + "size_before": { + "type": "long" + }, + "size_after": { + "type": "long" + }, + "diff": { + "type": "keyword" + }, + "event": { + "type": "keyword" + }, + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + } + } + }, + "location": { + "type": "keyword" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword" + }, + "groups": { + "type": "keyword" + }, + "level": { + "type": "long" + }, + "tsc": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "info": { + "type": "keyword" + }, + "frequency": { + "type": "long" + }, + "firedtimes": { + "type": "long" + }, + "cis": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "gdpr": { + "type": "keyword" + }, + "gpg13": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "mail": { + "type": "boolean" + }, + "mitre": { + "properties": { + "id": { + "type": "keyword" + }, + "tactic": { + "type": "keyword" + }, + "technique": { + "type": "keyword" + } + } + } + } + }, + "predecoder": { + "properties": { + "program_name": { + "type": "keyword" + }, + "timestamp": { + "type": "keyword" + }, + "hostname": { + "type": "keyword" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ftscomment": { + "type": "keyword" + }, + "fts": { + "type": "long" + }, + "accumulate": { + "type": "long" + } + } + }, + "data": { + "properties": { + "audit": { + "properties": { + "acct": { + "type": "keyword" + }, + "arch": { + "type": "keyword" + }, + "auid": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "cwd": { + "type": "keyword" + }, + "dev": { + "type": "keyword" + }, + "directory": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { + "properties": { + "a0": { + "type": "keyword" + }, + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "dstip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "extra_data": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" + } + } + } + } + }, + "office365": { + "properties": { + "Actor": { + "properties": { + "ID": { + "type": "keyword" + } + } + }, + "UserId": { + "type": "keyword" + }, + "Operation": { + "type": "keyword" + }, + "ClientIP": { + "type": "keyword" + }, + "ResultStatus": { + "type": "keyword" + }, + "Subscription": { + "type": "keyword" + } + } + }, + "github": { + "properties": { + "org": { + "type": "keyword" + }, + "actor": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "actor_location": { + "properties": { + "country_code": { + "type": "keyword" + } + } + }, + "repo": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "name": { + "type": "keyword" + }, + "mac": { + "type": "keyword" + }, + "adapter": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "tx_bytes": { + "type": "long" + }, + "rx_bytes": { + "type": "long" + }, + "tx_errors": { + "type": "long" + }, + "rx_errors": { + "type": "long" + }, + "tx_dropped": { + "type": "long" + }, + "rx_dropped": { + "type": "long" + }, + "tx_packets": { + "type": "long" + }, + "rx_packets": { + "type": "long" + }, + "ipv4": { + "properties": { + "gateway": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "address": { + "type": "keyword" + }, + "netmask": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "metric": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "gateway": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "address": { + "type": "keyword" + }, + "netmask": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "metric": { + "type": "long" + } + } + } + } + } + } + }, + "os": { + "properties": { + "hostname": { + "type": "keyword" + }, + "architecture": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "version": { + "type": "keyword" + }, + "codename": { + "type": "keyword" + }, + "major": { + "type": "keyword" + }, + "minor": { + "type": "keyword" + }, + "patch": { + "type": "keyword" + }, + "build": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "sysname": { + "type": "keyword" + }, + "release": { + "type": "keyword" + }, + "release_version": { + "type": "keyword" + }, + "display_version": { + "type": "keyword" + } + } + }, + "port": { + "properties": { + "protocol": { + "type": "keyword" + }, + "local_ip": { + "type": "ip" + }, + "local_port": { + "type": "long" + }, + "remote_ip": { + "type": "ip" + }, + "remote_port": { + "type": "long" + }, + "tx_queue": { + "type": "long" + }, + "rx_queue": { + "type": "long" + }, + "inode": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "process": { + "type": "keyword" + } + } + }, + "hardware": { + "properties": { + "serial": { + "type": "keyword" + }, + "cpu_name": { + "type": "keyword" + }, + "cpu_cores": { + "type": "long" + }, + "cpu_mhz": { + "type": "double" + }, + "ram_total": { + "type": "long" + }, + "ram_free": { + "type": "long" + }, + "ram_usage": { + "type": "long" + } + } + }, + "program": { + "properties": { + "format": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "priority": { + "type": "keyword" + }, + "section": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor": { + "type": "keyword" + }, + "install_time": { + "type": "keyword" + }, + "version": { + "type": "keyword" + }, + "architecture": { + "type": "keyword" + }, + "multiarch": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "location": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "ppid": { + "type": "long" + }, + "utime": { + "type": "long" + }, + "stime": { + "type": "long" + }, + "cmd": { + "type": "keyword" + }, + "args": { + "type": "keyword" + }, + "euser": { + "type": "keyword" + }, + "ruser": { + "type": "keyword" + }, + "suser": { + "type": "keyword" + }, + "egroup": { + "type": "keyword" + }, + "sgroup": { + "type": "keyword" + }, + "fgroup": { + "type": "keyword" + }, + "rgroup": { + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "nice": { + "type": "long" + }, + "size": { + "type": "long" + }, + "vm_size": { + "type": "long" + }, + "resident": { + "type": "long" + }, + "share": { + "type": "long" + }, + "start_time": { + "type": "long" + }, + "pgrp": { + "type": "long" + }, + "session": { + "type": "long" + }, + "nlwp": { + "type": "long" + }, + "tgid": { + "type": "long" + }, + "tty": { + "type": "long" + }, + "processor": { + "type": "long" + } + } + }, + "sca": { + "properties": { + "type": { + "type": "keyword" + }, + "scan_id": { + "type": "keyword" + }, + "policy": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "passed": { + "type": "integer" + }, + "failed": { + "type": "integer" + }, + "score": { + "type": "long" + }, + "check": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "rationale": { + "type": "keyword" + }, + "remediation": { + "type": "keyword" + }, + "compliance": { + "properties": { + "cis": { + "type": "keyword" + }, + "cis_csc": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + } + } + }, + "references": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "registry": { + "type": "keyword" + }, + "process": { + "type": "keyword" + }, + "result": { + "type": "keyword" + }, + "previous_result": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "status": { + "type": "keyword" + } + } + }, + "invalid": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "total_checks": { + "type": "keyword" + } + } + }, + "command": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "virustotal": { + "properties": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { + "properties": { + "alert_id": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "cve": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss2": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + }, + "cvss3": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "source": { + "type": "keyword" + }, + "architecture": { + "type": "keyword" + }, + "condition": { + "type": "keyword" + }, + "generated_cpe": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "published": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "rationale": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + }, + "assigner": { + "type": "keyword" + }, + "cve_version": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "source": { + "type": "keyword" + }, + "accountId": { + "type": "keyword" + }, + "log_info": { + "properties": { + "s3bucket": { + "type": "keyword" + } + } + }, + "region": { + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "dstaddr": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "start": { + "type": "date" + }, + "source_ip_address": { + "type": "ip" + }, + "service": { + "properties": { + "count": { + "type": "long" + }, + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip" + }, + "geoLocation": { + "type": "geo_point" + } + } + }, + "eventFirstSeen": { + "type": "date" + }, + "eventLastSeen": { + "type": "date" + } + } + }, + "createdAt": { + "type": "date" + }, + "updatedAt": { + "type": "date" + }, + "resource.instanceDetails": { + "properties": { + "launchTime": { + "type": "date" + }, + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } + } + } + } + } + }, + "cis": { + "properties": { + "benchmark": { + "type": "keyword" + }, + "error": { + "type": "long" + }, + "fail": { + "type": "long" + }, + "group": { + "type": "keyword" + }, + "notchecked": { + "type": "long" + }, + "pass": { + "type": "long" + }, + "result": { + "type": "keyword" + }, + "rule_title": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "timestamp": { + "type": "keyword" + }, + "unknown": { + "type": "long" + } + } + }, + "docker": { + "properties": { + "Action": { + "type": "keyword" + }, + "Actor": { + "properties": { + "Attributes": { + "properties": { + "image": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "Type": { + "type": "keyword" + } + } + }, + "gcp": { + "properties": { + "jsonPayload": { + "properties": { + "authAnswer": { + "type": "keyword" + }, + "queryName": { + "type": "keyword" + }, + "responseCode": { + "type": "keyword" + }, + "vmInstanceId": { + "type": "keyword" + }, + "vmInstanceName": { + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "labels": { + "properties": { + "location": { + "type": "keyword" + }, + "project_id": { + "type": "keyword" + }, + "source_type": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + } + } + }, + "osquery": { + "properties": { + "name": { + "type": "keyword" + }, + "pack": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "calendarTime": { + "type": "keyword" + } + } + } + } + }, + "program_name": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "previous_output": { + "type": "keyword" + } + } + }, + "version": 1 +} diff --git a/integrations/external/config/opensearch/opensearch.yml b/integrations/external/config/opensearch/opensearch.yml new file mode 100644 index 0000000000000..8dfaf55c5097d --- /dev/null +++ b/integrations/external/config/opensearch/opensearch.yml @@ -0,0 +1,39 @@ +network.host: "0.0.0.0" +node.name: "opensearch" +compatibility.override_main_response_version: true +plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/certs/opensearch.pem +plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/certs/opensearch.key +plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/certs/opensearch.pem +plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/certs/opensearch.key +plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.authcz.admin_dn: + - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: + - "CN=os1,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: + - "all_access" + - "security_rest_api_access" +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opensearch-observability", + ".opendistro-asynchronous-search-response*", + ".replication-metadata-store", + ] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false \ No newline at end of file diff --git a/integrations/external/config/opensearch_dashboards/opensearch_dashboards.yml b/integrations/external/config/opensearch_dashboards/opensearch_dashboards.yml new file mode 100644 index 0000000000000..3f2bc6544b56f --- /dev/null +++ b/integrations/external/config/opensearch_dashboards/opensearch_dashboards.yml @@ -0,0 +1,21 @@ +server.host: 0.0.0.0 +server.port: 5601 +opensearch.hosts: https://opensearch:9200 +opensearch.ssl.verificationMode: certificate +#osd 1.2.4 +# opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +# +# osd 2.0 +opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"] +# +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" +server.ssl.certificate: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" +opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/certs/root-ca.pem"] +opensearch.username: "kibanaserver" +opensearch.password: "kibanaserver" +opensearchDashboards.branding: + useExpandedHeader: false + diff --git a/integrations/external/config/splunk/default.yml b/integrations/external/config/splunk/default.yml new file mode 100644 index 0000000000000..b4f2ea2e542b3 --- /dev/null +++ b/integrations/external/config/splunk/default.yml @@ -0,0 +1,25 @@ +splunk: + conf: + - key: web + value: + directory: /opt/splunk/etc/system/local + content: + settings: + enablesSplunkWebSSL: true + privKeyPath: /opt/splunk/etc/auth/custom/splunk.key + serverCert: /opt/splunk/etc/auth/custom/splunk.pem + - key: server + value: + directory: /opt/splunk/etc/system/local + content: + general: + serverName: splunk + pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw== + sslConfig: + serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem + hec: + enable: True + ssl: True + port: 8088 + # hec.token is used only for ingestion (receiving Splunk events) + token: a51ddfbd-3a69-468f-a235-e63f5d9704cc diff --git a/integrations/external/config/splunk/indexes.conf b/integrations/external/config/splunk/indexes.conf new file mode 100644 index 0000000000000..714107e4523f4 --- /dev/null +++ b/integrations/external/config/splunk/indexes.conf @@ -0,0 +1,9 @@ +[wazuh-alerts] +coldPath = $SPLUNK_DB/wazuh/colddb +enableDataIntegrityControl = 1 +enableTsidxReduction = 1 +homePath = $SPLUNK_DB/wazuh/db +maxTotalDataSizeMB = 512000 +thawedPath = $SPLUNK_DB/wazuh/thaweddb +timePeriodInSecBeforeTsidxReduction = 15552000 +tsidxReductionCheckPeriodInSec = diff --git a/integrations/external/config/splunkforwarder/inputs.conf b/integrations/external/config/splunkforwarder/inputs.conf new file mode 100644 index 0000000000000..c97cd9c4301f7 --- /dev/null +++ b/integrations/external/config/splunkforwarder/inputs.conf @@ -0,0 +1,5 @@ +[monitor:///var/ossec/logs/alerts/sample_alerts.json] +disabled = 0 +host = buildkitsandbox +index = wazuh-alerts +sourcetype = wazuh-alerts diff --git a/integrations/external/config/splunkforwarder/outputs.conf b/integrations/external/config/splunkforwarder/outputs.conf new file mode 100644 index 0000000000000..7c7210656bce5 --- /dev/null +++ b/integrations/external/config/splunkforwarder/outputs.conf @@ -0,0 +1,6 @@ +defaultGroup = default-autolb-group + +[tcpout:default-autolb-group] +server = splunk:9997 + +[tcpout-server://splunk:9997] diff --git a/integrations/external/config/splunkforwarder/props.conf b/integrations/external/config/splunkforwarder/props.conf new file mode 100644 index 0000000000000..79d7f64e52ec9 --- /dev/null +++ b/integrations/external/config/splunkforwarder/props.conf @@ -0,0 +1,10 @@ +[wazuh-alerts] +DATETIME_CONFIG = +INDEXED_EXTRACTIONS = json +KV_MODE = none +NO_BINARY_CHECK = true +category = Application +disabled = false +pulldown_type = true +TIME_PREFIX = \"timestamp\"\:\" +TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3Q%z diff --git a/integrations/external/config/splunkforwarder/user-seed.conf b/integrations/external/config/splunkforwarder/user-seed.conf new file mode 100644 index 0000000000000..36380364dd6da --- /dev/null +++ b/integrations/external/config/splunkforwarder/user-seed.conf @@ -0,0 +1,3 @@ +[user_info] +USERNAME = admin +PASSWORD = password diff --git a/integrations/external/config/wazuh_cluster/wazuh_manager.conf b/integrations/external/config/wazuh_cluster/wazuh_manager.conf new file mode 100644 index 0000000000000..cd432c19916b1 --- /dev/null +++ b/integrations/external/config/wazuh_cluster/wazuh_manager.conf @@ -0,0 +1,352 @@ + + + yes + yes + no + no + no + smtp.example.wazuh.com + wazuh@example.wazuh.com + recipient@example.wazuh.com + 12 + alerts.log + 10m + 0 + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + etc/rootcheck/rootkit_files.txt + etc/rootcheck/rootkit_trojans.txt + + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + 10 + + + + + yes + yes + 12h + yes + + + + no + 5m + 6h + yes + + + + no + trusty + xenial + bionic + focal + 1h + + + + + no + stretch + buster + bullseye + 1h + + + + + no + 5 + 6 + 7 + 8 + 1h + + + + + no + amazon-linux + amazon-linux-2 + 1h + + + + + no + 1h + + + + + yes + 1h + + + + + yes + 2010 + 1h + + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + .log$|.swp$ + + + /etc/ssl/private.key + + yes + yes + yes + yes + + + 10 + + + 100 + + + + yes + 5m + 1h + 10 + + + + + + 127.0.0.1 + ^localhost.localdomain$ + + + + disable-account + disable-account + yes + + + + restart-wazuh + restart-wazuh + + + + firewall-drop + firewall-drop + yes + + + + host-deny + host-deny + yes + + + + route-null + route-null + yes + + + + win_route-null + route-null.exe + yes + + + + netsh + netsh.exe + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + + yes + 1 + 64 + 15m + + + + + no + 1515 + no + yes + no + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + etc/sslmanager.cert + etc/sslmanager.key + no + + + + wazuh + node01 + master + + 1516 + 0.0.0.0 + + NODE_IP + + no + yes + + + + + + + syslog + /var/ossec/logs/active-responses.log + + + diff --git a/integrations/external/config/wazuh_dashboard/opensearch_dashboards.yml b/integrations/external/config/wazuh_dashboard/opensearch_dashboards.yml new file mode 100644 index 0000000000000..e54ffa8be8faf --- /dev/null +++ b/integrations/external/config/wazuh_dashboard/opensearch_dashboards.yml @@ -0,0 +1,12 @@ +server.host: 0.0.0.0 +server.port: 5601 +opensearch.hosts: https://wazuh.indexer:9200 +opensearch.ssl.verificationMode: certificate +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem" +server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem" +opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"] +uiSettings.overrides.defaultRoute: /app/wazuh \ No newline at end of file diff --git a/integrations/external/config/wazuh_dashboard/wazuh.yml b/integrations/external/config/wazuh_dashboard/wazuh.yml new file mode 100644 index 0000000000000..1f7c97290170c --- /dev/null +++ b/integrations/external/config/wazuh_dashboard/wazuh.yml @@ -0,0 +1,7 @@ +hosts: + - 1513629884013: + url: "https://wazuh.manager" + port: 55000 + username: wazuh-wui + password: "MyS3cr37P450r.*-" + run_as: false \ No newline at end of file diff --git a/integrations/external/config/wazuh_indexer/internal_users.yml b/integrations/external/config/wazuh_indexer/internal_users.yml new file mode 100644 index 0000000000000..e0c383a8ef46d --- /dev/null +++ b/integrations/external/config/wazuh_indexer/internal_users.yml @@ -0,0 +1,56 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" \ No newline at end of file diff --git a/integrations/external/config/wazuh_indexer/wazuh.indexer.yml b/integrations/external/config/wazuh_indexer/wazuh.indexer.yml new file mode 100644 index 0000000000000..e87e35ea883ed --- /dev/null +++ b/integrations/external/config/wazuh_indexer/wazuh.indexer.yml @@ -0,0 +1,28 @@ +network.host: "0.0.0.0" +node.name: "wazuh.indexer" +path.data: /var/lib/wazuh-indexer +path.logs: /var/log/wazuh-indexer +discovery.type: single-node +compatibility.override_main_response_version: true +plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem +plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key +plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem +plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key +plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false \ No newline at end of file diff --git a/integrations/external/docker-compose.yml b/integrations/external/docker-compose.yml new file mode 100644 index 0000000000000..365dc7cb33c72 --- /dev/null +++ b/integrations/external/docker-compose.yml @@ -0,0 +1,414 @@ + +services: + splunk: + image: splunk/splunk:9.0.4 + volumes: + - sp_certs:/opt/splunk/etc/auth/custom + - ./config/splunk/default.yml:/tmp/defaults/default.yml + - ./config/splunk/indexes.conf:/opt/splunk/etc/system/local/indexes.conf + depends_on: + generator: + condition: service_healthy + ports: + - '8000:8000' + - '8088:8088' + environment: + SPLUNK_START_ARGS: --accept-license + SPLUNK_HTTP_ENABLESSL: 'true' + SPLUNK_PASSWORD: password + SPLUNK_HOSTNAME: splunk + SPLUNK_STANDALONE_URL: https://splunk:8080 + + ## WAZUH STACK + + wazuh.manager: + image: wazuh/wazuh-manager:${WAZUH_VERSION} + depends_on: + es01: + condition: service_healthy + hostname: wazuh.manager + ports: + - '1514:1514' + - '1515:1515' + - '514:514/udp' + - '55000:55000' + environment: + - INDEXER_URL=https://wazuh.indexer:9200 + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=SecretPassword + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem + - SSL_CERTIFICATE=/etc/ssl/filebeat.pem + - SSL_KEY=/etc/ssl/filebeat-key.pem + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + - LOGSTASH_KEYSTORE_PASS=mypassword + volumes: + - ./config/logstash/logstash-manager.conf:/etc/logstash/conf.d/logstash.conf + - ./config/logstash/es_template.json:/etc/logstash/es_template.json + - ./config/logstash/os_template.json:/etc/logstash/os_template.json + - wm_certs:/etc/ssl + - wd_certs:/etc/certs/wazuh-dashboard + - es_certs:/etc/certs/elastic + - packages:/tmp/packages + - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf + - ./extra/sample_alerts/changeDate.py:/tmp/changeDate.py + - ./extra/sample_alerts/sample.json:/tmp/sample.json + - ./extra/dashboards:/tmp/dashboards + - ./config/splunkforwarder/inputs.conf:/opt/splunkforwarder/etc/system/local/inputs.conf + - ./config/splunkforwarder/outputs.conf:/opt/splunkforwarder/etc/system/local/outputs.conf + - ./config/splunkforwarder/props.conf:/opt/splunkforwarder/etc/system/local/props.conf + - ./config/splunkforwarder/user-seed.conf:/opt/splunkforwarder/etc/system/local/user-seed.conf + command: bash -c "cd tmp + && cp /tmp/packages/* /opt/ + && tar -xzf /opt/logstash.tar.gz -C /opt + && rm /opt/logstash.tar.gz + && dpkg -i /opt/splunkforwarder.deb + && rm /opt/splunkforwarder.deb + && python3 changeDate.py + && cat /var/ossec/logs/alerts/sample_alerts.json >> /var/ossec/logs/alerts/alerts.json + && cd /opt/logstash-${STACK_VERSION} + && bin/logstash-plugin install logstash-output-opensearch + && echo COSO + && bin/logstash -f /etc/logstash/conf.d/logstash.conf" + && tail -F /var/ossec/logs/ossec.log + + wazuh.indexer: + image: wazuh/wazuh-indexer:${WAZUH_VERSION} + depends_on: + generator: + condition: service_healthy + hostname: wazuh.indexer + ports: + - '9200:9200' + environment: + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - wi_certs:/usr/share/wazuh-indexer/config/certs/ + - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml + - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml + + wazuh.dashboard: + image: wazuh/wazuh-dashboard:${WAZUH_VERSION} + hostname: wazuh.dashboard + depends_on: + generator: + condition: service_healthy + ports: + - 5601:5601 + environment: + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=SecretPassword + - WAZUH_API_URL=https://wazuh.manager + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - wd_certs:/usr/share/wazuh-dashboard/certs + - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml + - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml + + links: + - wazuh.indexer:wazuh.indexer + - wazuh.manager:wazuh.manager + + ##ELASTIC STACK + + setup: + image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} + volumes: + - es_certs:/usr/share/elasticsearch/config/certs + user: '0' + command: > + bash -c ' + if [ x${ELASTIC_PASSWORD} == x ]; then + echo "Set the ELASTIC_PASSWORD environment variable in the .env file"; + exit 1; + elif [ x${KIBANA_PASSWORD} == x ]; then + echo "Set the KIBANA_PASSWORD environment variable in the .env file"; + exit 1; + fi; + if [ ! -f config/certs/ca.zip ]; then + echo "Creating CA"; + bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; + unzip config/certs/ca.zip -d config/certs; + fi; + if [ ! -f config/certs/certs.zip ]; then + echo "Creating certs"; + echo -ne \ + "instances:\n"\ + " - name: es01\n"\ + " dns:\n"\ + " - es01\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + > config/certs/instances.yml; + bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; + unzip config/certs/certs.zip -d config/certs; + fi; + echo "Setting file permissions" + chown -R root:root config/certs; + find . -type d -exec chmod 750 \{\} \;; + find . -type f -exec chmod 640 \{\} \;; + echo "Waiting for Elasticsearch availability"; + until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done; + echo "Setting kibana_system password"; + until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done; + echo "All done!"; + ' + healthcheck: + test: ['CMD-SHELL', '[ -f config/certs/es01/es01.crt ]'] + interval: 1s + timeout: 5s + retries: 120 + es01: + depends_on: + setup: + condition: service_healthy + image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} + volumes: + - es_certs:/usr/share/elasticsearch/config/certs + ports: + - ${ES_PORT}:9200 + environment: + - node.name=es01 + - cluster.name=${CLUSTER_NAME} + - cluster.initial_master_nodes=es01 + - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} + - bootstrap.memory_lock=true + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es01/es01.key + - xpack.security.http.ssl.certificate=certs/es01/es01.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es01/es01.key + - xpack.security.transport.ssl.certificate=certs/es01/es01.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${MEM_LIMIT} + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: + [ + 'CMD-SHELL', + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 + kibana: + depends_on: + es01: + condition: service_healthy + image: docker.elastic.co/kibana/kibana:${STACK_VERSION} + volumes: + - es_certs:/usr/share/kibana/config/certs + ports: + - ${KIBANA_PORT}:5601 + environment: + - SERVERNAME=kibana + - ELASTICSEARCH_HOSTS=https://es01:9200 + - ELASTICSEARCH_USERNAME=kibana_system + - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD} + - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt + mem_limit: ${MEM_LIMIT} + healthcheck: + test: + [ + 'CMD-SHELL', + "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", + ] + interval: 10s + timeout: 10s + retries: 120 + + ## OPENSEARCH STACK + opensearch: + image: opensearchproject/opensearch:${OS_VERSION} + depends_on: + generator: + condition: service_healthy + container_name: opensearch + environment: + - cluster.name=opensearch-cluster + - node.name=opensearch + - discovery.seed_hosts=opensearch + - cluster.initial_master_nodes=opensearch + - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' # minimum and maximum Java heap size, recommend setting both to 50% of system RAM + volumes: + - os_certs:/usr/share/opensearch/config/certs/ + - ./config/opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems + hard: 65536 + ports: + - 9203:9200 + - 9600:9600 # required for Performance Analyzer + healthcheck: + test: + [ + 'CMD-SHELL', + "curl -v --cacert /usr/share/opensearch/config/certs/root-ca.pem https://opensearch:9200 2>&1 | grep -q '401 Unauthorized'", + ] + interval: 1s + timeout: 5s + retries: 120 + + opensearch-dashboards: + image: opensearchproject/opensearch-dashboards:${OS_VERSION} + depends_on: + opensearch: + condition: service_healthy + container_name: opensearch-dashboards + ports: + - 5603:5601 + expose: + - '5601' + volumes: + - os_certs:/usr/share/opensearch-dashboards/config/certs/ + - ./config/opensearch_dashboards/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml + + ### Logstash + logstash: + depends_on: + generator: + condition: service_healthy + image: docker.elastic.co/logstash/logstash:8.6.2 + command: + bash -c "bin/logstash-plugin install logstash-input-opensearch logstash-output-opensearch + && logstash -f /etc/logstash/conf.d/logstash.conf" + volumes: + - wm_certs:/etc/ssl + - ./config/logstash/logstash-indexer.conf:/etc/logstash/conf.d/logstash.conf + - ./config/logstash/es_template.json:/etc/logstash/es_template.json + - ./config/logstash/os_templatee.json:/etc/logstash/os_templatee.json + - ./config/logstash/os_template.json:/etc/logstash/os_template.json + - wd_certs:/etc/certs/wazuh-dashboard + - es_certs:/etc/certs/elastic + environment: + LS_JAVA_OPTS: '-Xmx1024m -Xms1024m' + + ### Certificates generation + + generator: + image: cfssl/cfssl + volumes: + - wi_certs:/certs/wi + - wd_certs:/certs/wd + - wm_certs:/certs/wm + - sp_certs:/certs/sp + - es_certs:/certs/es + - os_certs:/certs/os + - packages:/packages + - ./config/certs:/conf + entrypoint: /bin/bash + command: > + -c ' + echo Validating packages + [ ! -f "/packages/logstash.tar.gz" ] && echo Downloading Logstash && wget -q -O logstash.tar.gz ${LOGSTASH_URL} && cp logstash.tar.gz /packages/logstash.tar.gz && echo Download complete + [ ! -f "/packages/splunkforwarder.deb" ] && echo Downloading Splunk forwarder && wget -q -O splunkforwarder.deb ${SPLUNK_FORWARDER_URL} && cp splunkforwarder.deb /packages/splunkforwarder.deb && echo Download complete + + export certs=/tmp/certs + mkdir $$certs + cd $$certs + + echo "Generating CA" + cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + + echo "Generating servers certificates" + for i in wazuh.indexer wazuh-dashboard wazuh.manager splunk opensearch; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Generating clients certificates" + for i in admin filebeat; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=client - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Setting up permissions" + + rm /certs/wi/* /certs/wd/* /certs/wm/* + + mv $$certs/wazuh.indexer* /certs/wi + mv $$certs/admin* /certs/wi + mv /certs/wi/admin.key /certs/wi/admin-key.pem + cp $$certs/ca.pem /certs/wi/root-ca.pem + cp $$certs/ca-key.pem /certs/wi/root-ca-key.pem + + mv $$certs/wazuh-dashboard* /certs/wd + cp $$certs/ca.pem /certs/wd/root-ca.pem + cp $$certs/ca-key.pem /certs/wd/root-ca-key.pem + + mv $$certs/splunk* /certs/sp + cp $$certs/ca.pem /certs/sp/cacert.pem + cp $$certs/ca-key.pem /certs/sp/cacert-key.pem + cat /certs/sp/splunk.pem /certs/sp/splunk-key.pem /certs/sp/cacert.pem > /certs/sp/splunkhec.pem + + mv $$certs/opensearch* /certs/os + cp $$certs/ca.pem /certs/os/root-ca.pem + cp $$certs/ca-key.pem /certs/os/root-ca-key.pem + + mv $$certs/*.* /certs/wm + cp /certs/wm/ca.pem /certs/wm/root-ca.pem + cp /certs/wm/ca-key.pem /certs/wm/root-ca-key.pem + + chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* + chown -R 1000:1000 /certs/* + ls -alR /certs/ + + sleep 300 + + ' + healthcheck: + test: + [ + 'CMD-SHELL', + '[ -r /certs/wm/wazuh.manager.pem ] && [ -f /packages/splunkforwarder.deb ]', + ] + interval: 2s + timeout: 5s + retries: 100 + +volumes: + wi_certs: + wd_certs: + wm_certs: + sp_certs: + es_certs: + os_certs: + packages: diff --git a/integrations/external/extra/dashboards/Splunk/search-bar-in-progress b/integrations/external/extra/dashboards/Splunk/search-bar-in-progress new file mode 100644 index 0000000000000..041317f5e636f --- /dev/null +++ b/integrations/external/extra/dashboards/Splunk/search-bar-in-progress @@ -0,0 +1,139 @@ +{ + "dataSources": { + "ds_GHdtwfg5": { + "type": "ds.search", + "options": { + "query": "index=wazuh-alerts $text_IUbHI6Dq$ \n| timechart count by agent.name" + }, + "name": "Search_5" + }, + "ds_BIdQZ95d": { + "type": "ds.search", + "options": { + "query": "index=wazuh-alerts | top limit=$count$ sourcetype | eval percent = round(percent,2)" + }, + "name": "Search_1" + }, + "ds_4N9TMJiX": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" $text_IUbHI6Dq$ | timechart count by agent.name" + }, + "name": "Search_2" + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-24h@h,now" + }, + "title": "Global Time Range" + }, + "input_WxeranBL": { + "options": { + "defaultValue": "Default Text", + "token": "text_IUbHI6Dq" + }, + "title": "Text Input Title", + "type": "input.text" + }, + "input_DwM6youF": { + "options": { + "defaultValue": 10, + "token": "num_rSnoK3uk" + }, + "title": "Number Input Title", + "type": "input.number" + }, + "input_DwM6youA": { + "type": "input.text", + "options": { + "defaultValue": "5", + "token": "count" + }, + "title": "Input count:" + } + }, + "layout": { + "type": "absolute", + "options": { + "submitButton": true, + "submitonDashboardLoad": true, + "display": "auto-scale", + "height": 2000, + "backgroundColor": "#ffffff" + }, + "structure": [ + { + "item": "viz_ZgRiQCoQ", + "type": "block", + "position": { + "x": 30, + "y": 340, + "w": 730, + "h": 300 + } + }, + { + "item": "viz_ErIyOWsh", + "type": "block", + "position": { + "x": 20, + "y": 20, + "w": 1170, + "h": 300 + } + } + ], + "globalInputs": [ + "input_global_trp", + "input_WxeranBL", + "input_DwM6youF", + "input_DwM6youA" + ] + }, + "title": "Probando", + "description": "", + "defaults": { + "dataSources": { + "global": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + }, + "visualizations": { + "global": { + "showLastUpdated": true + } + } + }, + "visualizations": { + "viz_ZgRiQCoQ": { + "type": "splunk.column", + "dataSources": { + "primary": "ds_GHdtwfg5" + }, + "options": { + "yAxisAbbreviation": "off", + "y2AxisAbbreviation": "off", + "showRoundedY2AxisLabels": false, + "legendTruncation": "ellipsisMiddle", + "showY2MajorGridLines": true + }, + "context": {} + }, + "viz_ErIyOWsh": { + "type": "splunk.column", + "options": {}, + "dataSources": { + "primary": "ds_4N9TMJiX" + } + } + } +} diff --git a/integrations/external/extra/dashboards/Splunk/wazuh-amazon-aws b/integrations/external/extra/dashboards/Splunk/wazuh-amazon-aws new file mode 100644 index 0000000000000..84cd253410bb2 --- /dev/null +++ b/integrations/external/extra/dashboards/Splunk/wazuh-amazon-aws @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_lTJLU7ar": { + "type": "splunk.area", + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count", + "legendDisplay": "left" + }, + "dataSources": { + "primary": "ds_BHh1kZmb" + }, + "title": "Events by source over time" + }, + "viz_l5qazB46": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_Y2J0psR4" + }, + "title": "Sources" + }, + "viz_1JzeNwnq": { + "type": "splunk.table", + "title": "Events", + "dataSources": { + "primary": "ds_K2y81pak" + } + } + }, + "dataSources": { + "ds_BHh1kZmb": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | timechart count by \"data.aws.source\"" + }, + "name": "Search_1" + }, + "ds_Y2J0psR4": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | chart count by \"data.aws.source\"" + }, + "name": "Search_2" + }, + "ds_K2y81pak": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.aws.source\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.aws.source, rule.description, rule.level, rule.id" + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_lTJLU7ar", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 795, + "h": 334 + } + }, + { + "item": "viz_1JzeNwnq", + "type": "block", + "position": { + "x": 0, + "y": 334, + "w": 1200, + "h": 358 + } + }, + { + "item": "viz_l5qazB46", + "type": "block", + "position": { + "x": 795, + "y": 0, + "w": 405, + "h": 334 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-amazon-aws-v1.0" +} diff --git a/integrations/external/extra/dashboards/Splunk/wazuh-docker-listener b/integrations/external/extra/dashboards/Splunk/wazuh-docker-listener new file mode 100644 index 0000000000000..756d9145b8875 --- /dev/null +++ b/integrations/external/extra/dashboards/Splunk/wazuh-docker-listener @@ -0,0 +1,130 @@ +{ + "visualizations": { + "viz_OcJb59wC": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_5TEzCbIf" + }, + "title": "Top 5 events" + }, + "viz_bQPbbrvw": { + "type": "splunk.column", + "title": "Events by source over time", + "dataSources": { + "primary": "ds_l6nQN96B" + }, + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + } + }, + "viz_7GGKwL33": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_gW45zmr5" + }, + "title": "Events" + } + }, + "dataSources": { + "ds_5TEzCbIf": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | top limit=5 data.docker.Action | chart count by data.docker.Action", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_1" + }, + "ds_l6nQN96B": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.docker.Type useother=false usenull=false\n", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_2" + }, + "ds_gW45zmr5": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.docker.Type\"=\"*\", \"data.docker.Actor.ID\"=\"*\", \"data.docker.Action\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.docker.Type, data.docker.Actor.ID, data.docker.Action, rule.description, rule.level, rule.id", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-24h@h,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_OcJb59wC", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 415, + "h": 316 + } + }, + { + "item": "viz_7GGKwL33", + "type": "block", + "position": { + "x": 0, + "y": 316, + "w": 1200, + "h": 378 + } + }, + { + "item": "viz_bQPbbrvw", + "type": "block", + "position": { + "x": 415, + "y": 0, + "w": 785, + "h": 316 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-docker-listener-v1.0" +} diff --git a/integrations/external/extra/dashboards/Splunk/wazuh-incident-response b/integrations/external/extra/dashboards/Splunk/wazuh-incident-response new file mode 100644 index 0000000000000..7b9f20005ff08 --- /dev/null +++ b/integrations/external/extra/dashboards/Splunk/wazuh-incident-response @@ -0,0 +1,135 @@ +{ + "visualizations": { + "viz_bRMOrrNo": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_T5OG9qjO" + }, + "title": "Alert groups" + }, + "viz_iOvmhhgU": { + "type": "splunk.table", + "options": {}, + "dataSources": { + "primary": "ds_tnYl87gQ" + } + }, + "viz_P0bNNVfw": { + "type": "splunk.column", + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_GccX6Lrj" + }, + "title": "Events" + } + }, + "dataSources": { + "ds_T5OG9qjO": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"*\" | top limit=5 \"rule.groups{}\" | chart count by \"rule.groups{}\" useother=false usenull=false", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_tnYl87gQ": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.groups{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.groups{}, rule.description, rule.level, rule.id", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_GccX6Lrj": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"audit\" | timechart count by \"rule.groups{}\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_bRMOrrNo", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 388, + "h": 292 + } + }, + { + "item": "viz_iOvmhhgU", + "type": "block", + "position": { + "x": 0, + "y": 292, + "w": 1200, + "h": 399 + } + }, + { + "item": "viz_P0bNNVfw", + "type": "block", + "position": { + "x": 388, + "y": 0, + "w": 812, + "h": 292 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-incident-response-v1.0" +} diff --git a/integrations/external/extra/dashboards/Splunk/wazuh-malware-detection b/integrations/external/extra/dashboards/Splunk/wazuh-malware-detection new file mode 100644 index 0000000000000..620e8bbb37116 --- /dev/null +++ b/integrations/external/extra/dashboards/Splunk/wazuh-malware-detection @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_Q5GQT6h2": { + "type": "splunk.area", + "dataSources": { + "primary": "ds_N3cdEic4" + }, + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "title": "Emotet malware activity" + }, + "viz_U8vFKyUp": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_f5AJxLS5" + }, + "title": "Security alerts" + }, + "viz_uLQLGVbg": { + "type": "splunk.line", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_IcWLWjPn" + }, + "title": "Rootkits activity over time" + } + }, + "dataSources": { + "ds_N3cdEic4": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"rootcheck\" | timechart count by \"rule.groups{}\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_f5AJxLS5": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.mitre.technique{}\"=\"*\", \"rule.mitre.tactic{}\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\", \"rule.description\"=\"*\" | table _time, agent.name, rule.mitre.technique{}, rule.mitre.tactic{}, rule.level, rule.id, rule.description\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_IcWLWjPn": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.title useother=false usenull=false\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_Q5GQT6h2", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 458, + "h": 293 + } + }, + { + "item": "viz_U8vFKyUp", + "type": "block", + "position": { + "x": 0, + "y": 293, + "w": 1200, + "h": 381 + } + }, + { + "item": "viz_uLQLGVbg", + "type": "block", + "position": { + "x": 458, + "y": 0, + "w": 742, + "h": 293 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-malware-detection-v1.0" +} diff --git a/integrations/external/extra/dashboards/Splunk/wazuh-pci-dss b/integrations/external/extra/dashboards/Splunk/wazuh-pci-dss new file mode 100644 index 0000000000000..681acc9193b81 --- /dev/null +++ b/integrations/external/extra/dashboards/Splunk/wazuh-pci-dss @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_9NIbkgTo": { + "type": "splunk.bubble", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_g3vSgFS7" + }, + "title": "PCI DSS requirements" + }, + "viz_Z6CAbCjJ": { + "type": "splunk.column", + "options": { + "stackMode": "stacked", + "yAxisTitleText": "count", + "xAxisTitleText": "requirements" + }, + "dataSources": { + "primary": "ds_lljKZIBi" + }, + "title": "Requirements by agent" + }, + "viz_AtTGNj0f": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_9ABDZ4aq" + }, + "title": "Recent events" + } + }, + "dataSources": { + "ds_g3vSgFS7": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.pci_dss{}\"=\"*\" | timechart count by \"rule.pci_dss{}\"\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_lljKZIBi": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\" | chart count by \"rule.pci_dss{}\", \"agent.name\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_9ABDZ4aq": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.pci_dss{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.pci_dss{}, rule.description, rule.level, rule.id", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_9NIbkgTo", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 629, + "h": 400 + } + }, + { + "item": "viz_AtTGNj0f", + "type": "block", + "position": { + "x": 0, + "y": 400, + "w": 1200, + "h": 291 + } + }, + { + "item": "viz_Z6CAbCjJ", + "type": "block", + "position": { + "x": 629, + "y": 0, + "w": 571, + "h": 400 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-pci-dss-v1.0" +} \ No newline at end of file diff --git a/integrations/external/extra/dashboards/Splunk/wazuh-security-events b/integrations/external/extra/dashboards/Splunk/wazuh-security-events new file mode 100644 index 0000000000000..7d5d033ab0bec --- /dev/null +++ b/integrations/external/extra/dashboards/Splunk/wazuh-security-events @@ -0,0 +1,296 @@ +{ + "visualizations": { + "viz_oAPKLE0R": { + "type": "splunk.column", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "Count", + "stackMode": "stacked" + }, + "dataSources": { + "primary": "ds_TdanKF0I" + }, + "showProgressBar": false, + "showLastUpdated": false, + "title": "Alerts evolution - Top 5 agents", + "description": "" + }, + "viz_Y07WmZ1b": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_ut2DiVW9" + }, + "title": "Security alerts", + "description": "" + }, + "viz_DI7fpctI": { + "type": "splunk.pie", + "dataSources": { + "primary": "ds_EmDJmxMO" + }, + "showProgressBar": false, + "showLastUpdated": false, + "title": "Top Mitre ATT&K tactics" + }, + "viz_qYCIuSjF": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#0258a1", + "trendColor": "#000000" + }, + "dataSources": { + "primary": "ds_d9cN1Qn9" + }, + "title": "Total" + }, + "viz_aTlMnG7A": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#db566f" + }, + "dataSources": { + "primary": "ds_ZPT4uVoe" + }, + "title": "Level 12 or above alerts" + }, + "viz_R8LMR6U6": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#bf0561" + }, + "dataSources": { + "primary": "ds_d8m0U7Ph" + }, + "title": "Authentication failure" + }, + "viz_nDMI4ZGW": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#007d73" + }, + "dataSources": { + "primary": "ds_7FDRhb5m" + }, + "title": "Authentication success" + } + }, + "dataSources": { + "ds_TdanKF0I": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by agent.name\n\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_ut2DiVW9": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.mitre.id{}\"=\"*\" | table _time, agent.name, rule.mitre.id{}, rule.mitre.tactic{}, rule.description, rule.level, rule.id\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_EmDJmxMO": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | top limit=5 agent.name | chart count by agent.name\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + }, + "ds_5QIbKzqF": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | chart count by rule.groups", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_4" + }, + "ds_d9cN1Qn9": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_5" + }, + "ds_ZPT4uVoe": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" rule.level>=12 | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_6" + }, + "ds_d8m0U7Ph": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"authentication_failed\" OR \"rule.groups{}\"=\"win_authentication_failed\" OR \"rule.groups{}\"=\"authentication_failures\" | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_7" + }, + "ds_7FDRhb5m": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=authentication_success | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_8" + }, + "ds_UIfFJptm": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_9" + }, + "ds_z3i8WcOf": { + "type": "ds.search", + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + }, + "query": "wazuh-alerts-4.x-sample rule.groups=\"authentication_failures\" | stats count by rule.groups" + }, + "name": "Search_10" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_qYCIuSjF", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 291, + "h": 137 + } + }, + { + "item": "viz_oAPKLE0R", + "type": "block", + "position": { + "x": 0, + "y": 137, + "w": 731, + "h": 326 + } + }, + { + "item": "viz_Y07WmZ1b", + "type": "block", + "position": { + "x": 0, + "y": 463, + "w": 1200, + "h": 400 + } + }, + { + "item": "viz_aTlMnG7A", + "type": "block", + "position": { + "x": 291, + "y": 0, + "w": 286, + "h": 137 + } + }, + { + "item": "viz_R8LMR6U6", + "type": "block", + "position": { + "x": 577, + "y": 0, + "w": 301, + "h": 137 + } + }, + { + "item": "viz_DI7fpctI", + "type": "block", + "position": { + "x": 731, + "y": 137, + "w": 469, + "h": 326 + } + }, + { + "item": "viz_nDMI4ZGW", + "type": "block", + "position": { + "x": 878, + "y": 0, + "w": 322, + "h": 137 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-security-events-v1.0" +} \ No newline at end of file diff --git a/integrations/external/extra/dashboards/Splunk/wazuh-vulnerabilities b/integrations/external/extra/dashboards/Splunk/wazuh-vulnerabilities new file mode 100644 index 0000000000000..56174696e2673 --- /dev/null +++ b/integrations/external/extra/dashboards/Splunk/wazuh-vulnerabilities @@ -0,0 +1,261 @@ +{ + "visualizations": { + "viz_XlLyYDmC": { + "type": "splunk.area", + "dataSources": { + "primary": "ds_DljIxEDR" + }, + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "title": "Alert severity" + }, + "viz_qzFw5Wx7": { + "type": "splunk.table", + "options": {}, + "dataSources": { + "primary": "ds_Irx4cEkl" + } + }, + "viz_3V3AvVY4": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_oyvgAG73" + }, + "title": "Critical Severity Alerts", + "options": { + "majorColor": "#db566f" + } + }, + "viz_cmEIbZ9q": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_TVyYlSRA" + }, + "title": "Hight Severity Alerts", + "options": { + "majorColor": "#0258a1" + } + }, + "viz_4QSVuglC": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_D0hAYmXA" + }, + "title": "Medium Severity Alerts", + "options": { + "majorColor": "#007d73" + } + }, + "viz_VI9ZdnSO": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_1KrtDz29" + }, + "title": "Low Severity Alerts", + "options": { + "majorColor": "#232323" + } + } + }, + "dataSources": { + "ds_DljIxEDR": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.vulnerability.severity useother=false usenull=false", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_31leL1fM": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_jymjmvtF": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + }, + "ds_jEwqnxee": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_4" + }, + "ds_Irx4cEkl": { + "type": "ds.search", + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + }, + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.vulnerability.cve\"=\"*\", \"data.vulnerability.package.name\"=\"*\", \"data.vulnerability.package.version\"=\"*\", \"data.vulnerability.severity\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.vulnerability.cve, data.vulnerability.package.name, data.vulnerability.package.version, data.vulnerability.severity, rule.id\n\n" + }, + "name": "Search_5" + }, + "ds_oyvgAG73": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Critical\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_6" + }, + "ds_TVyYlSRA": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"High\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_7" + }, + "ds_D0hAYmXA": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Medium\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_8" + }, + "ds_1KrtDz29": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Low\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_9" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_3V3AvVY4", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 279, + "h": 131 + } + }, + { + "item": "viz_XlLyYDmC", + "type": "block", + "position": { + "x": 0, + "y": 131, + "w": 1200, + "h": 284 + } + }, + { + "item": "viz_qzFw5Wx7", + "type": "block", + "position": { + "x": 0, + "y": 415, + "w": 1200, + "h": 251 + } + }, + { + "item": "viz_cmEIbZ9q", + "type": "block", + "position": { + "x": 279, + "y": 0, + "w": 293, + "h": 131 + } + }, + { + "item": "viz_4QSVuglC", + "type": "block", + "position": { + "x": 572, + "y": 0, + "w": 309, + "h": 131 + } + }, + { + "item": "viz_VI9ZdnSO", + "type": "block", + "position": { + "x": 881, + "y": 0, + "w": 319, + "h": 131 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-vulnerabilities-v1.0" +} diff --git a/integrations/external/extra/dashboards/elastic/allDashboards.ndjson b/integrations/external/extra/dashboards/elastic/allDashboards.ndjson new file mode 100644 index 0000000000000..a02f7704eb14e --- /dev/null +++ b/integrations/external/extra/dashboards/elastic/allDashboards.ndjson @@ -0,0 +1,9 @@ +{"attributes":{"fieldAttrs":"{}","fieldFormatMap":"{}","fields":"[]","name":"wazuh-alerts-4.x-*","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x-*","typeMeta":"{}"},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T17:17:45.191Z","id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-24T17:17:45.191Z","version":"WzI1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":0,\"w\":8,\"h\":5,\"i\":\"9931cceb-51f1-4e47-bd26-491e7a624592\"},\"panelIndex\":\"9931cceb-51f1-4e47-bd26-491e7a624592\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"accessor\":\"df19010a-26e5-446d-9d74-56fe2495e38b\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#db5871\",\"stop\":2}],\"colorStops\":[{\"color\":\"#db5871\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"exists\",\"key\":\"data.vulnerability.severity\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"data.vulnerability.severity\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\":{\"columns\":{\"df19010a-26e5-446d-9d74-56fe2495e38b\":{\"label\":\"Critical Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Critical\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df19010a-26e5-446d-9d74-56fe2495e38b\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":8,\"h\":5,\"i\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\"},\"panelIndex\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"accessor\":\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#0c5da3\",\"stop\":2}],\"colorStops\":[{\"color\":\"#0c5da3\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"fd6049b6-e52c-449e-9775-ded5ac1eac15\":{\"columns\":{\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\":{\"label\":\"Hight Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"High\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":9,\"h\":5,\"i\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\"},\"panelIndex\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"accessor\":\"b7764bb5-540b-4183-a8c5-e9e856e48949\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#007d73\",\"stop\":2}],\"colorStops\":[{\"color\":\"#007d73\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a8774fa0-5ae6-4746-94bd-cd21a0210641\":{\"columns\":{\"b7764bb5-540b-4183-a8c5-e9e856e48949\":{\"label\":\"Medium Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Medium\\\" \",\"language\":\"kuery\"},\"reducedTimeRange\":\"\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"b7764bb5-540b-4183-a8c5-e9e856e48949\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":9,\"h\":5,\"i\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\"},\"panelIndex\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a397e361-0b6a-4d18-b957-2afce890f6c3\",\"accessor\":\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#222222\",\"stop\":2}],\"colorStops\":[{\"color\":\"#222222\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"alias\":\"data.vulnerability.severity : \\\"Low\\\" \",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"data.vulnerability.severity\\\":\\\"Low\\\"}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"term\":{\"data.vulnerability.severity\":\"Low\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a397e361-0b6a-4d18-b957-2afce890f6c3\":{\"columns\":{\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\":{\"label\":\"Low Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Low\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":25,\"h\":14,\"i\":\"8fe06d85-091b-47aa-a809-aae9150a3314\"},\"panelIndex\":\"8fe06d85-091b-47aa-a809-aae9150a3314\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"47832b00-8a1a-4d99-8631-89379474c236\",\"accessors\":[\"32448531-8094-4131-89c9-38ed77a620ec\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"yConfig\":[{\"forAccessor\":\"32448531-8094-4131-89c9-38ed77a620ec\",\"axisMode\":\"auto\"}],\"xAccessor\":\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"splitAccessor\":\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"47832b00-8a1a-4d99-8631-89379474c236\":{\"columns\":{\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\":{\"label\":\"Top 5 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"32448531-8094-4131-89c9-38ed77a620ec\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f20c7be6-a511-4b95-be88-6de506dbf1d8\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"3h\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"32448531-8094-4131-89c9-38ed77a620ec\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\",\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"32448531-8094-4131-89c9-38ed77a620ec\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert severity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":5,\"w\":23,\"h\":14,\"i\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\"},\"panelIndex\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"heatmap\",\"layerId\":\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"type\":\"heatmap_legend\"},\"gridConfig\":{\"type\":\"heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true,\"isYAxisTitleVisible\":false,\"isXAxisTitleVisible\":true,\"yTitle\":\"\"},\"valueAccessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\",\"yAccessor\":\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"xAccessor\":\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"name\":\"positive\",\"continuity\":\"above\",\"reverse\":false,\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":0},{\"color\":\"#aed3ca\",\"stop\":20},{\"color\":\"#85bdb1\",\"stop\":40},{\"color\":\"#5aa898\",\"stop\":60},{\"color\":\"#209280\",\"stop\":80}],\"rangeMin\":0,\"rangeMax\":null},\"accessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\":{\"columns\":{\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":false},\"6fcc771b-b4e8-4684-80da-49b7b897dc24\":{\"label\":\"Top 3 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":false},\"e8d69708-c954-444b-a94f-9eb1befd3197\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Vulnerabilities heat map\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":14,\"i\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\"},\"panelIndex\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\"},{\"isTransposed\":false,\"columnId\":\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\"},{\"isTransposed\":false,\"columnId\":\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\",\"hidden\":true},{\"columnId\":\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"isTransposed\":false},{\"columnId\":\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"isTransposed\":false}],\"layerId\":\"d94ddf3d-d285-450e-aba4-46057df55fb7\",\"layerType\":\"data\",\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d94ddf3d-d285-450e-aba4-46057df55fb7\":{\"columns\":{\"542028d8-117e-4ee0-ba25-3ff4475940aa\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\":{\"label\":\"data.vulnerability.cve\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.cve\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\":{\"label\":\"data.vulnerability.package.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\":{\"label\":\"data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"056be5db-ea40-4979-9985-8f0c73a8dcef\":{\"label\":\"data.vulnerability.package.version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\",\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\",\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:41.475Z","id":"1e68dc60-e2b5-11ed-9db8-9f0e23f622c3","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:b9624937-542e-4ac9-9f09-ae532ade3311","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"a0b05cdd-c4b5-46b0-af2e-32253bd965e6:indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"b22f2aba-370b-40f2-8f30-c7175fd21d84:indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:a532bc3a-2caf-4353-9a37-17d4fb373b0d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"8fe06d85-091b-47aa-a809-aae9150a3314:indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"680cfedf-a868-4de2-8173-897f4df7f6d7:indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5a8626af-2bc4-4317-ad7f-20622c16db0a:indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:41.475Z","version":"WzQ3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":5,\"i\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\"},\"panelIndex\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"accessor\":\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1E75B6\",\"stop\":300}],\"colorStops\":[{\"color\":\"#1E75B6\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\":{\"columns\":{\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\":{\"label\":\"Total\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":0,\"w\":8,\"h\":5,\"i\":\"dc864252-a518-4187-80ca-b581ad14f1cb\"},\"panelIndex\":\"dc864252-a518-4187-80ca-b581ad14f1cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"accessor\":\"65d5d9ac-208b-4393-b498-12f4351445bd\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#e57488\",\"stop\":8}],\"colorStops\":[{\"color\":\"#e57488\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"alias\":\"rule.level >= 12\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"range\\\":{\\\"rule.level\\\":{\\\"gte\\\":\\\"12\\\"}}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"rule.level\":{\"gte\":\"12\"}}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\":{\"columns\":{\"65d5d9ac-208b-4393-b498-12f4351445bd\":{\"label\":\"Level 12 or above alerts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.level >= 12\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65d5d9ac-208b-4393-b498-12f4351445bd\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":8,\"h\":5,\"i\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\"},\"panelIndex\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"28318134-b7bd-4faa-b21e-b0a6665b526f\",\"accessor\":\"e1a6a50b-cffe-4c92-b756-bad658aee97d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#d4458d\",\"stop\":4}],\"colorStops\":[{\"color\":\"#d4458d\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"alias\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"rule.groups\\\":\\\"authentication_failed\\\"}}],\\\"minimum_should_match\\\":1}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"win_authentication_failed\\\",\\\"lenient\\\":true}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"authentication_failures\\\",\\\"lenient\\\":true}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"bool\":{\"should\":[{\"term\":{\"rule.groups\":\"authentication_failed\"}}],\"minimum_should_match\":1}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"win_authentication_failed\",\"lenient\":true}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"authentication_failures\",\"lenient\":true}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"28318134-b7bd-4faa-b21e-b0a6665b526f\":{\"columns\":{\"e1a6a50b-cffe-4c92-b756-bad658aee97d\":{\"label\":\"Athentication failure\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"e1a6a50b-cffe-4c92-b756-bad658aee97d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":8,\"h\":5,\"i\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\"},\"panelIndex\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"accessor\":\"ea00d671-3e3a-434a-8813-1dfa3a023112\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1a938a\",\"stop\":2}],\"colorStops\":[{\"color\":\"#1a938a\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"exists\",\"key\":\"rule.groups\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"rule.groups\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"67c3da39-aad2-4ff4-812f-15cf135b2d12\":{\"columns\":{\"ea00d671-3e3a-434a-8813-1dfa3a023112\":{\"label\":\"Authentication success\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups: \\\"authentication_success\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ea00d671-3e3a-434a-8813-1dfa3a023112\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":32,\"h\":14,\"i\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\"},\"panelIndex\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"accessors\":[\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"xAccessor\":\"c5296771-93c8-48cb-bf57-cad19d8c829e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e8600050-5477-49a7-a28e-ce9a47ded5f5\":{\"columns\":{\"8d76d731-1e09-4706-b3d9-48108dd7dd32\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"c5296771-93c8-48cb-bf57-cad19d8c829e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"3f2d0dea-171c-41ed-9452-29106c10a968\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"c5296771-93c8-48cb-bf57-cad19d8c829e\",\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alerts evolution - Top 5 agents\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":5,\"w\":16,\"h\":14,\"i\":\"e35f33d0-784d-471a-842e-576523d0ca80\"},\"panelIndex\":\"e35f33d0-784d-471a-842e-576523d0ca80\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Top Mitre\",\"description\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"d2ef6c07-620f-431e-85f2-77175187e0fe\",\"primaryGroups\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\"],\"metrics\":[\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.3,\"legendSize\":\"xlarge\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d2ef6c07-620f-431e-85f2-77175187e0fe\":{\"columns\":{\"a676e778-cad9-431e-b520-3e87b3a0afb2\":{\"label\":\"Top 5 values of rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\",\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":15,\"i\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\"},\"panelIndex\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"isTransposed\":false,\"columnId\":\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\"},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"columnId\":\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"c74264a6-eb65-4232-9444-a503723c6fdf\":{\"label\":\"rule.mitre.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:25.862Z","id":"1002c610-a23f-11ed-9c45-1d7f2cbf4bd8","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"c90b5ced-c476-4336-8248-5f5eee09b7d3:indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:4cd727d8-200d-4869-b702-ff540bd3ff56","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:1b7728c2-28d0-40f9-81ed-74e77231242c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:933a08d4-fd4c-4829-938c-df17bc87af15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e:indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e35f33d0-784d-471a-842e-576523d0ca80:indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ee6f5f4c-2a18-4733-a593-23c1f2a24376:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:25.862Z","version":"WzQ3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":29,\"h\":15,\"i\":\"976e6302-500a-427c-bd29-75cee9034fe6\"},\"panelIndex\":\"976e6302-500a-427c-bd29-75cee9034fe6\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"PCI DSS requirements\",\"description\":\"\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":0,\"showCircles\":true,\"circlesRadius\":10,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}},\"uiState\":{},\"data\":{\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-10w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"1d\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":15,\"i\":\"d299d776-0b4f-4955-b7d6-5717119dba59\"},\"panelIndex\":\"d299d776-0b4f-4955-b7d6-5717119dba59\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"accessors\":[\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"splitAccessor\":\"852bf376-24f0-4b54-8568-0964c3289eb4\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\":{\"columns\":{\"e17436ee-06c3-4b4e-acda-f8d379648407\":{\"label\":\"Requirements\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"852bf376-24f0-4b54-8568-0964c3289eb4\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"852bf376-24f0-4b54-8568-0964c3289eb4\",\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Requirements by agent\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":17,\"i\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\"},\"panelIndex\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"PCI DSS\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"27ae8c68-e64e-4824-9422-df1611b74c58\"},{\"isTransposed\":false,\"columnId\":\"30508bd4-917e-4614-9922-c445af8e8a8f\"},{\"isTransposed\":false,\"columnId\":\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\"},{\"isTransposed\":false,\"columnId\":\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"df70835d-3cfb-4ead-a942-d60c00330c30\"},{\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"f96a237b-410c-475c-863e-60acde29fc71\",\"isTransposed\":false,\"oneClickFilter\":true}],\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"951964d6-a0d3-4593-911f-b598f1bdd7a6\":{\"columns\":{\"27ae8c68-e64e-4824-9422-df1611b74c58\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"30508bd4-917e-4614-9922-c445af8e8a8f\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"49885e99-2da3-4165-9b20-9d78ccaca4bd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"df70835d-3cfb-4ead-a942-d60c00330c30\":{\"label\":\"rule.pci_dss\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"f96a237b-410c-475c-863e-60acde29fc71\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\",\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"df70835d-3cfb-4ead-a942-d60c00330c30\",\"27ae8c68-e64e-4824-9422-df1611b74c58\",\"30508bd4-917e-4614-9922-c445af8e8a8f\",\"f96a237b-410c-475c-863e-60acde29fc71\",\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Recent events\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:10.201Z","id":"ad09bc40-a634-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"976e6302-500a-427c-bd29-75cee9034fe6:kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"d299d776-0b4f-4955-b7d6-5717119dba59:indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01:indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:10.201Z","version":"WzQ2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":13,\"i\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\"},\"panelIndex\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"LINEAR\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"accessors\":[\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"yConfig\":[{\"forAccessor\":\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\",\"color\":\"#40d4e0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\":{\"columns\":{\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Emotet malware activity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":13,\"i\":\"cc5ad74e-c871-4ac3-9487-328adc286921\"},\"panelIndex\":\"cc5ad74e-c871-4ac3-9487-328adc286921\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"accessors\":[\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"splitAccessor\":\"52edc505-8c8a-4965-a3f3-46ca861738af\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5ccb00b3-1675-4c9f-a542-927c5930e66e\":{\"columns\":{\"52edc505-8c8a-4965-a3f3-46ca861738af\":{\"label\":\"Top 5 values of data.title\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.title\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"b662da8a-50ee-4dae-a2bb-25861753d95c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f001735e-ca2b-455d-a50a-b7f44b005f0b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"52edc505-8c8a-4965-a3f3-46ca861738af\",\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Rootkits activity over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":21,\"i\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\"},\"panelIndex\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\"},{\"isTransposed\":false,\"columnId\":\"1169cee0-a32f-48d2-8e12-2919736d710a\"},{\"isTransposed\":false,\"columnId\":\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"125edb0b-de81-41b8-9612-1d87188e2b12\"},{\"isTransposed\":false,\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\",\"hidden\":true},{\"columnId\":\"694278f2-f767-4450-90f5-4a95905e989f\",\"isTransposed\":false},{\"columnId\":\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"isTransposed\":false}],\"layerId\":\"777017d9-58d0-4f3f-8461-64af784d41a4\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"777017d9-58d0-4f3f-8461-64af784d41a4\":{\"columns\":{\"56e30fec-0d21-4af5-9751-7630c08713e8\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\":{\"label\":\"rule.mitre.technique\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.technique\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1169cee0-a32f-48d2-8e12-2919736d710a\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"23107287-fb86-49ea-bdea-79d55b5e7ea4\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"125edb0b-de81-41b8-9612-1d87188e2b12\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a1caa30b-78e1-493d-bb05-f29242d47609\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"694278f2-f767-4450-90f5-4a95905e989f\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"1073b1b6-aa33-4e11-841b-0b6459a56603\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"694278f2-f767-4450-90f5-4a95905e989f\",\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\",\"1169cee0-a32f-48d2-8e12-2919736d710a\",\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"125edb0b-de81-41b8-9612-1d87188e2b12\",\"a1caa30b-78e1-493d-bb05-f29242d47609\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:31.797Z","id":"f9bb41b0-a3cf-11ed-9187-5147a2b9eedf","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"847a1b06-c15d-41a2-9a08-73b056e959fb:indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cc5ad74e-c871-4ac3-9487-328adc286921:indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e3873842-502a-4ba4-a3ab-d5bcdc9d908c:indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:31.797Z","version":"WzQwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":13,\"i\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\"},\"panelIndex\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"primaryGroups\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\"],\"metrics\":[\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7,\"legendSize\":\"large\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\":{\"columns\":{\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"\",\"language\":\"kuery\"}},\"ccea2153-9f5c-4f65-9346-1feceb3783eb\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\",\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert groups\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":13,\"i\":\"115417e6-11a1-4a55-8055-220b69dad98e\"},\"panelIndex\":\"115417e6-11a1-4a55-8055-220b69dad98e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"right\",\"showSingleSeries\":false},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"accessors\":[\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"splitAccessor\":\"a195fccb-9268-453a-b824-54f1e3f72d12\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"54e72470-df75-47d1-a7a6-3d2f807a39d1\":{\"columns\":{\"a195fccb-9268-453a-b824-54f1e3f72d12\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"audit\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"a195fccb-9268-453a-b824-54f1e3f72d12\",\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":13,\"i\":\"edc2487b-0a85-4975-b841-457471ee5cd0\"},\"panelIndex\":\"edc2487b-0a85-4975-b841-457471ee5cd0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\"},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\":{\"label\":\"rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:14.435Z","id":"e30257a0-a641-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"caf3fb07-a3b0-4f51-b000-926f4b26ee4f:indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"115417e6-11a1-4a55-8055-220b69dad98e:indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"edc2487b-0a85-4975-b841-457471ee5cd0:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:14.435Z","version":"WzQwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":12,\"i\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\"},\"panelIndex\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"b9d91550-4d81-4724-926b-368cbac70c5c\",\"primaryGroups\":[\"393155df-15ed-400b-bef4-be554873a6c6\"],\"metrics\":[\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b9d91550-4d81-4724-926b-368cbac70c5c\":{\"columns\":{\"393155df-15ed-400b-bef4-be554873a6c6\":{\"label\":\"Top 5 values of data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"393155df-15ed-400b-bef4-be554873a6c6\",\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top 5 events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":14,\"y\":0,\"w\":34,\"h\":12,\"i\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\"},\"panelIndex\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"45315f08-c693-4bdc-aa72-8546f280b2b2\",\"accessors\":[\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"93ae869a-82d8-4825-9391-568728d510a7\",\"splitAccessor\":\"588460de-4d21-471e-922f-0b59d3ec977f\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"45315f08-c693-4bdc-aa72-8546f280b2b2\":{\"columns\":{\"93ae869a-82d8-4825-9391-568728d510a7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"69651d63-8697-41d8-b639-5d77e806c90a\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"588460de-4d21-471e-922f-0b59d3ec977f\":{\"label\":\"Top 3 values of data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"69651d63-8697-41d8-b639-5d77e806c90a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"588460de-4d21-471e-922f-0b59d3ec977f\",\"93ae869a-82d8-4825-9391-568728d510a7\",\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":48,\"h\":37,\"i\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\"},\"panelIndex\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"isTransposed\":false},{\"columnId\":\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"isTransposed\":false},{\"columnId\":\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"isTransposed\":false},{\"columnId\":\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"isTransposed\":false},{\"columnId\":\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"isTransposed\":false},{\"columnId\":\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"isTransposed\":false},{\"columnId\":\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\":{\"columns\":{\"1cedf71d-5da2-423a-8108-0d28190dc1f2\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"09e332ce-350b-499a-8df5-9b15ed375c20\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e323b79e-be8f-458d-80b9-100d79e6fc3c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"655b8229-82ac-4302-a97c-a5b1778f22f9\":{\"label\":\"data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c47bc042-54fd-4134-9cec-05f36c5c95e0\":{\"label\":\"data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\":{\"label\":\"data.docker.Actor.ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Actor.ID\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a61f2679-de38-4a5d-b105-dab5d341a400\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7109d3b-68d4-418c-b4c4-fe451858d375\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"28c7593f-f805-4cbd-afed-94dfdbde7d29\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:50.548Z","id":"8359c240-a7cf-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631:indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ec92f542-1336-4a92-90e6-548fa7a78db6:indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cac9a63e-4892-4879-bd94-210fd3b5b3d0:indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:50.548Z","version":"WzM5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"5177564c-7c79-4412-9c03-99dca92b90d5\"},\"panelIndex\":\"5177564c-7c79-4412-9c03-99dca92b90d5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"left\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"bca83102-e00c-4277-b280-a91ef087536e\",\"accessors\":[\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"splitAccessor\":\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bca83102-e00c-4277-b280-a91ef087536e\":{\"columns\":{\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\":{\"label\":\"Top 3 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"amazon\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\",\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\"},\"panelIndex\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"primaryGroups\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\"],\"metrics\":[\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\":{\"columns\":{\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\":{\"label\":\"Top 5 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c1031-e343-427d-b141-b47ccc7a570a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4a2c1031-e343-427d-b141-b47ccc7a570a\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\",\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Sources\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\"},\"panelIndex\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"e\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1835ff08-affb-403c-991e-8e642c7a5456\"},{\"isTransposed\":false,\"columnId\":\"6dce6ade-b342-4645-9ff2-228f319d69f7\"},{\"isTransposed\":false,\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\",\"hidden\":true},{\"columnId\":\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"isTransposed\":false},{\"columnId\":\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"isTransposed\":false},{\"columnId\":\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\":{\"columns\":{\"8882fc10-f772-4a02-af1f-049b59a04dfd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1835ff08-affb-403c-991e-8e642c7a5456\":{\"label\":\"data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6dce6ade-b342-4645-9ff2-228f319d69f7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f8266242-342d-4046-8bb5-90efe4839a60\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"06b78908-beb7-4a01-a9b0-b7f9775318d9\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ea992e31-8ea1-4548-8182-da51c911cf21\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"a8c6efd9-93b3-4636-96ea-43b359962134\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6dce6ade-b342-4645-9ff2-228f319d69f7\",\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"1835ff08-affb-403c-991e-8e642c7a5456\",\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"f8266242-342d-4046-8bb5-90efe4839a60\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:30.916Z","id":"ff5626e0-a63f-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5177564c-7c79-4412-9c03-99dca92b90d5:indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"692e518d-0688-414b-92e8-6b2bf1b960dd:indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"25e0d536-4163-46e6-abd5-5cd45cd9f30a:indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:30.916Z","version":"WzM1OCwxXQ=="} +{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":8,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/integrations/external/extra/dashboards/opensearch/allDashboards.ndjson b/integrations/external/extra/dashboards/opensearch/allDashboards.ndjson new file mode 100644 index 0000000000000..644ac1fa40d76 --- /dev/null +++ b/integrations/external/extra/dashboards/opensearch/allDashboards.ndjson @@ -0,0 +1,38 @@ +{"attributes":{"fields":"[{\"count\":0,\"name\":\"@sampledata\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"count\":0,\"name\":\"GeoLocation.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.city_name\"}}},{\"count\":0,\"name\":\"GeoLocation.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.country_name\"}}},{\"count\":0,\"name\":\"GeoLocation.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"GeoLocation.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"GeoLocation.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.region_name\"}}},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"count\":0,\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ip\"}}},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"count\":0,\"name\":\"cluster.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cluster.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"cluster.name\"}}},{\"count\":0,\"name\":\"cluster.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cluster.node\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"cluster.node\"}}},{\"count\":0,\"name\":\"data.audit.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.command\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.command\"}}},{\"count\":0,\"name\":\"data.audit.cwd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.cwd\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.cwd\"}}},{\"count\":0,\"name\":\"data.audit.exe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.exe\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.exe\"}}},{\"count\":0,\"name\":\"data.audit.file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.file.name\"}}},{\"count\":0,\"name\":\"data.audit.success\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.success\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.success\"}}},{\"count\":0,\"name\":\"data.audit.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.type\"}}},{\"count\":0,\"name\":\"data.aws.accountId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.accountId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.accountId\"}}},{\"count\":0,\"name\":\"data.aws.actor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.actor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.actor\"}}},{\"count\":0,\"name\":\"data.aws.alert-arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.alert-arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.alert-arn\"}}},{\"count\":0,\"name\":\"data.aws.arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.arn\"}}},{\"count\":0,\"name\":\"data.aws.created-at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.createdAt\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.description\"}}},{\"count\":0,\"name\":\"data.aws.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.id\"}}},{\"count\":0,\"name\":\"data.aws.log_info.log_file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.log_info.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.log_info.log_file\"}}},{\"count\":0,\"name\":\"data.aws.log_info.s3bucket\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.log_info.s3bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.log_info.s3bucket\"}}},{\"count\":0,\"name\":\"data.aws.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.name\"}}},{\"count\":0,\"name\":\"data.aws.notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.notification-type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.notification-type\"}}},{\"count\":0,\"name\":\"data.aws.partition\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.partition\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.partition\"}}},{\"count\":0,\"name\":\"data.aws.region\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.region\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.principalId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.principalId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.principalId\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.userName\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.userType\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.availabilityZone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.availabilityZone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.availabilityZone\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageDescription\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.imageDescription\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.imageId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceState\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceState\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceState\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceType\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.launchTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\"}}},{\"count\":0,\"name\":\"data.aws.resource.resourceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.resourceType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.resourceType\"}}},{\"count\":0,\"name\":\"data.aws.risk-score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.risk-score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.risk-score\"}}},{\"count\":0,\"name\":\"data.aws.schemaVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.schemaVersion\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.schemaVersion\"}}},{\"count\":0,\"name\":\"data.aws.service.action.actionType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.actionType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.actionType\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.api\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.api\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.callerType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.callerType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.callerType\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.serviceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.serviceName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.blocked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.blocked\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.blocked\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.connectionDirection\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.connectionDirection\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.connectionDirection\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.protocol\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.blocked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.blocked\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.blocked\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.inBytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.inBytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.inBytes\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.localPort\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.localPort\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.localPort\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.outBytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.outBytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.outBytes\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.api\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.recentApiCalls.api\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.recentApiCalls.count\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatListName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatListName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.threatListName\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.threatName\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.unusual\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.unusual\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.unusual\"}}},{\"count\":0,\"name\":\"data.aws.service.archived\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.archived\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.archived\"}}},{\"count\":0,\"name\":\"data.aws.service.count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.count\"}}},{\"count\":0,\"name\":\"data.aws.service.detectorId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.detectorId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.detectorId\"}}},{\"count\":0,\"name\":\"data.aws.service.eventFirstSeen\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.service.eventLastSeen\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.service.resourceRole\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.resourceRole\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.resourceRole\"}}},{\"count\":0,\"name\":\"data.aws.service.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.serviceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.serviceName\"}}},{\"count\":0,\"name\":\"data.aws.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.severity\"}}},{\"count\":0,\"name\":\"data.aws.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.source\"}}},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\"}}},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\"}}},{\"count\":0,\"name\":\"data.aws.summary.Bucket\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Bucket\"}}},{\"count\":0,\"name\":\"data.aws.summary.Description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Description\"}}},{\"count\":0,\"name\":\"data.aws.summary.Event Count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Event Count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Event Count\"}}},{\"count\":0,\"name\":\"data.aws.summary.Record Count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Record Count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Record Count\"}}},{\"count\":0,\"name\":\"data.aws.summary.Timestamps\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.summary.recipientAccountId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.recipientAccountId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.recipientAccountId\"}}},{\"count\":0,\"name\":\"data.aws.tags.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.tags.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.tags.value\"}}},{\"count\":0,\"name\":\"data.aws.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.title\"}}},{\"count\":0,\"name\":\"data.aws.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.type\"}}},{\"count\":0,\"name\":\"data.aws.updatedAt\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.url\"}}},{\"count\":0,\"name\":\"data.docker.Action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Action\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.container\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.container\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.container\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.execID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.execID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.execID\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.exitCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.exitCode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.exitCode\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.image\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.image\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.license\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.license\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.maintainer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.maintainer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.maintainer\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.name\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.build-date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.build-date\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.build-date\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.license\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.license\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.name\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.url\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vendor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.vendor\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.version\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.signal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.signal\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.signal\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.type\"}}},{\"count\":0,\"name\":\"data.docker.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.ID\"}}},{\"count\":0,\"name\":\"data.docker.Type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Type\"}}},{\"count\":0,\"name\":\"data.docker.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.from\"}}},{\"count\":0,\"name\":\"data.docker.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.id\"}}},{\"count\":0,\"name\":\"data.docker.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.level\"}}},{\"count\":0,\"name\":\"data.docker.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.message\"}}},{\"count\":0,\"name\":\"data.docker.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.scope\"}}},{\"count\":0,\"name\":\"data.docker.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.status\"}}},{\"count\":0,\"name\":\"data.docker.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.time\"}}},{\"count\":0,\"name\":\"data.docker.timeNano\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.timeNano\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.timeNano\"}}},{\"count\":0,\"name\":\"data.dstuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.dstuser\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.dstuser\"}}},{\"count\":0,\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"count\":0,\"name\":\"data.extra_data\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.extra_data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.extra_data\"}}},{\"count\":0,\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"count\":0,\"name\":\"data.gcp.insertId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.insertId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.insertId\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.authAnswer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.authAnswer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.authAnswer\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.protocol\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.queryName\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.queryType\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.responseCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.responseCode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.responseCode\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.sourceIP\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.sourceIP\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.sourceIP\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.vmInstanceId\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.vmInstanceName\"}}},{\"count\":0,\"name\":\"data.gcp.logName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.logName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.logName\"}}},{\"count\":0,\"name\":\"data.gcp.receiveTimestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.gcp.resource.labels.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.location\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.location\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.project_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.project_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.project_id\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.source_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.source_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.source_type\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.target_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.target_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.target_type\"}}},{\"count\":0,\"name\":\"data.gcp.resource.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.type\"}}},{\"count\":0,\"name\":\"data.gcp.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.severity\"}}},{\"count\":0,\"name\":\"data.gcp.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github.@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github._document_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github._document_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github._document_id\"}}},{\"count\":0,\"name\":\"data.github.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.action\"}}},{\"count\":0,\"name\":\"data.github.active\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.active\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.active\"}}},{\"count\":0,\"name\":\"data.github.actor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.actor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.actor\"}}},{\"count\":0,\"name\":\"data.github.actor_location.country_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.actor_location.country_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.actor_location.country_code\"}}},{\"count\":0,\"name\":\"data.github.config.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.content_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.content_type\"}}},{\"count\":0,\"name\":\"data.github.config.insecure_ssl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.insecure_ssl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.insecure_ssl\"}}},{\"count\":0,\"name\":\"data.github.config.secret\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.secret\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.secret\"}}},{\"count\":0,\"name\":\"data.github.config.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.url\"}}},{\"count\":0,\"name\":\"data.github.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github.events\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.events\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.events\"}}},{\"count\":0,\"name\":\"data.github.events_were\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.events_were\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.events_were\"}}},{\"count\":0,\"name\":\"data.github.hook_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.hook_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.hook_id\"}}},{\"count\":0,\"name\":\"data.github.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.name\"}}},{\"count\":0,\"name\":\"data.github.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.org\"}}},{\"count\":0,\"name\":\"data.github.repo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repo\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repo\"}}},{\"count\":0,\"name\":\"data.github.repository\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repository\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repository\"}}},{\"count\":0,\"name\":\"data.github.repository_public\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repository_public\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repository_public\"}}},{\"count\":0,\"name\":\"data.github.team\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.team\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.team\"}}},{\"count\":0,\"name\":\"data.github.transport_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.transport_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.transport_protocol\"}}},{\"count\":0,\"name\":\"data.github.transport_protocol_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.transport_protocol_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.transport_protocol_name\"}}},{\"count\":0,\"name\":\"data.github.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.user\"}}},{\"count\":0,\"name\":\"data.github.visibility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.visibility\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.visibility\"}}},{\"count\":0,\"name\":\"data.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.id\"}}},{\"count\":0,\"name\":\"data.integration\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.integration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.integration\"}}},{\"count\":0,\"name\":\"data.office365.AadAppId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.AadAppId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.AadAppId\"}}},{\"count\":0,\"name\":\"data.office365.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Actor.ID\"}}},{\"count\":0,\"name\":\"data.office365.Actor.Type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ActorContextId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ActorContextId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ActorContextId\"}}},{\"count\":0,\"name\":\"data.office365.ActorIpAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ActorIpAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ActorIpAddress\"}}},{\"count\":0,\"name\":\"data.office365.ApplicationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ApplicationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ApplicationId\"}}},{\"count\":0,\"name\":\"data.office365.AzureActiveDirectoryEventType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ClientApplication\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientApplication\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientApplication\"}}},{\"count\":0,\"name\":\"data.office365.ClientIP\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientIP\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientIP\"}}},{\"count\":0,\"name\":\"data.office365.ClientIPAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientIPAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientIPAddress\"}}},{\"count\":0,\"name\":\"data.office365.ClientInfoString\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientInfoString\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientInfoString\"}}},{\"count\":0,\"name\":\"data.office365.CmdletVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.CmdletVersion\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.CmdletVersion\"}}},{\"count\":0,\"name\":\"data.office365.CorrelationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.CorrelationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.CorrelationId\"}}},{\"count\":0,\"name\":\"data.office365.CreationTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.CustomUniqueId\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.CustomizedDoclib\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.DataType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DataType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DataType\"}}},{\"count\":0,\"name\":\"data.office365.DatabaseType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DatabaseType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DatabaseType\"}}},{\"count\":0,\"name\":\"data.office365.DestinationFileExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationFileExtension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationFileExtension\"}}},{\"count\":0,\"name\":\"data.office365.DestinationFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationFileName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationFileName\"}}},{\"count\":0,\"name\":\"data.office365.DestinationRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationRelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DeviceProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DeviceProperties.Value\"}}},{\"count\":0,\"name\":\"data.office365.DoNotDistributeEvent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.EffectiveOrganization\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EffectiveOrganization\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EffectiveOrganization\"}}},{\"count\":0,\"name\":\"data.office365.ErrorNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ErrorNumber\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ErrorNumber\"}}},{\"count\":0,\"name\":\"data.office365.EventData\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EventData\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EventData\"}}},{\"count\":0,\"name\":\"data.office365.EventSource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EventSource\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EventSource\"}}},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ExtendedProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ExtendedProperties.Value\"}}},{\"count\":0,\"name\":\"data.office365.ExternalAccess\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.FromApp\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.HighPriorityMediaProcessing\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Id\"}}},{\"count\":0,\"name\":\"data.office365.InterSystemsId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.InterSystemsId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.InterSystemsId\"}}},{\"count\":0,\"name\":\"data.office365.InternalLogonType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.IntraSystemId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.IntraSystemId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.IntraSystemId\"}}},{\"count\":0,\"name\":\"data.office365.IsDocLib\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Item.Attachments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Attachments\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Attachments\"}}},{\"count\":0,\"name\":\"data.office365.Item.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Id\"}}},{\"count\":0,\"name\":\"data.office365.Item.InternetMessageId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.InternetMessageId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.InternetMessageId\"}}},{\"count\":0,\"name\":\"data.office365.Item.IsRecord\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Id\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberRights\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberRights\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberRights\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberSid\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberUpn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberUpn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberUpn\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Name\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Path\"}}},{\"count\":0,\"name\":\"data.office365.Item.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Subject\"}}},{\"count\":0,\"name\":\"data.office365.ItemCount\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ItemType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ItemType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ItemType\"}}},{\"count\":0,\"name\":\"data.office365.ListBaseTemplateType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListBaseTemplateType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListBaseTemplateType\"}}},{\"count\":0,\"name\":\"data.office365.ListBaseType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListBaseType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListBaseType\"}}},{\"count\":0,\"name\":\"data.office365.ListColor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListColor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListColor\"}}},{\"count\":0,\"name\":\"data.office365.ListIcon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListIcon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListIcon\"}}},{\"count\":0,\"name\":\"data.office365.ListId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListId\"}}},{\"count\":0,\"name\":\"data.office365.ListItemUniqueId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListItemUniqueId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListItemUniqueId\"}}},{\"count\":0,\"name\":\"data.office365.ListTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListTitle\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListTitle\"}}},{\"count\":0,\"name\":\"data.office365.LogonType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.LogonUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.LogonUserSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.LogonUserSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxGuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxGuid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerMasterAccountSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerMasterAccountSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerMasterAccountSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerUPN\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerUPN\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerUPN\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.NewValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.NewValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.NewValue\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.OldValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.OldValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.OldValue\"}}},{\"count\":0,\"name\":\"data.office365.NonPIIParameters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.NonPIIParameters\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.NonPIIParameters\"}}},{\"count\":0,\"name\":\"data.office365.ObjectId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ObjectId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ObjectId\"}}},{\"count\":0,\"name\":\"data.office365.Operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Operation\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Operation\"}}},{\"count\":0,\"name\":\"data.office365.OrganizationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OrganizationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OrganizationId\"}}},{\"count\":0,\"name\":\"data.office365.OrganizationName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OrganizationName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OrganizationName\"}}},{\"count\":0,\"name\":\"data.office365.OriginatingServer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OriginatingServer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OriginatingServer\"}}},{\"count\":0,\"name\":\"data.office365.Parameters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Parameters\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Parameters\"}}},{\"count\":0,\"name\":\"data.office365.RecordType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.RelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.RelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.RelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.ResultCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ResultCount\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ResultCount\"}}},{\"count\":0,\"name\":\"data.office365.ResultStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ResultStatus\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ResultStatus\"}}},{\"count\":0,\"name\":\"data.office365.SecurityComplianceCenterEventType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Site\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Site\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Site\"}}},{\"count\":0,\"name\":\"data.office365.SiteUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SiteUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SiteUrl\"}}},{\"count\":0,\"name\":\"data.office365.Source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Source\"}}},{\"count\":0,\"name\":\"data.office365.SourceFileExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceFileExtension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceFileExtension\"}}},{\"count\":0,\"name\":\"data.office365.SourceFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceFileName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceFileName\"}}},{\"count\":0,\"name\":\"data.office365.SourceRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceRelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.StartTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Subscription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Subscription\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Subscription\"}}},{\"count\":0,\"name\":\"data.office365.SupportTicketId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SupportTicketId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SupportTicketId\"}}},{\"count\":0,\"name\":\"data.office365.Target.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Target.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Target.ID\"}}},{\"count\":0,\"name\":\"data.office365.Target.Type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.TargetContextId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetContextId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetContextId\"}}},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetUserOrGroupName\"}}},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetUserOrGroupType\"}}},{\"count\":0,\"name\":\"data.office365.TemplateTypeId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TemplateTypeId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TemplateTypeId\"}}},{\"count\":0,\"name\":\"data.office365.UserAgent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserAgent\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserAgent\"}}},{\"count\":0,\"name\":\"data.office365.UserId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserId\"}}},{\"count\":0,\"name\":\"data.office365.UserKey\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserKey\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserKey\"}}},{\"count\":0,\"name\":\"data.office365.UserServicePlan\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserServicePlan\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserServicePlan\"}}},{\"count\":0,\"name\":\"data.office365.UserType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.WebId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.WebId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.WebId\"}}},{\"count\":0,\"name\":\"data.office365.Workload\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Workload\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Workload\"}}},{\"count\":0,\"name\":\"data.oscap.check.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.description\"}}},{\"count\":0,\"name\":\"data.oscap.check.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.id\"}}},{\"count\":0,\"name\":\"data.oscap.check.identifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.identifiers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.identifiers\"}}},{\"count\":0,\"name\":\"data.oscap.check.oval.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.oval.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.oval.id\"}}},{\"count\":0,\"name\":\"data.oscap.check.rationale\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.rationale\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.rationale\"}}},{\"count\":0,\"name\":\"data.oscap.check.references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.references\"}}},{\"count\":0,\"name\":\"data.oscap.check.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.result\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.result\"}}},{\"count\":0,\"name\":\"data.oscap.check.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.severity\"}}},{\"count\":0,\"name\":\"data.oscap.check.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.title\"}}},{\"count\":0,\"name\":\"data.oscap.scan.benchmark.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.benchmark.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.benchmark.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.content\"}}},{\"count\":0,\"name\":\"data.oscap.scan.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.profile.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.profile.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.profile.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.profile.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.profile.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.profile.title\"}}},{\"count\":0,\"name\":\"data.oscap.scan.score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.score\"}}},{\"count\":0,\"name\":\"data.osquery.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.action\"}}},{\"count\":0,\"name\":\"data.osquery.calendarTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.osquery.columns.atime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.atime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.atime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.average_memory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.average_memory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.average_memory\"}}},{\"count\":0,\"name\":\"data.osquery.columns.avg_system_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.avg_system_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.avg_system_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.avg_user_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.avg_user_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.avg_user_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.block_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.block_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.block_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_available\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_available\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_available\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.build_distro\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.build_distro\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.build_distro\"}}},{\"count\":0,\"name\":\"data.osquery.columns.build_platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.build_platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.build_platform\"}}},{\"count\":0,\"name\":\"data.osquery.columns.bytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.bytes\"}}},{\"count\":0,\"name\":\"data.osquery.columns.chain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.chain\"}}},{\"count\":0,\"name\":\"data.osquery.columns.config_hash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.config_hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.config_hash\"}}},{\"count\":0,\"name\":\"data.osquery.columns.config_valid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.config_valid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.config_valid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.counter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.counter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.counter\"}}},{\"count\":0,\"name\":\"data.osquery.columns.ctime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.ctime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.ctime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.device\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.device\"}}},{\"count\":0,\"name\":\"data.osquery.columns.device_alias\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.device_alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.device_alias\"}}},{\"count\":0,\"name\":\"data.osquery.columns.dst_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.dst_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.dst_ip\"}}},{\"count\":0,\"name\":\"data.osquery.columns.dst_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.dst_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.dst_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.end\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.end\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.end\"}}},{\"count\":0,\"name\":\"data.osquery.columns.executions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.executions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.executions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.extensions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.extensions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.extensions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.filter_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.filter_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.filter_name\"}}},{\"count\":0,\"name\":\"data.osquery.columns.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.flags\"}}},{\"count\":0,\"name\":\"data.osquery.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.gid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.iniface\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.iniface\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.iniface\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inode\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inodes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inodes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inodes\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inodes_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inodes_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inodes_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.instance_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.instance_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.instance_id\"}}},{\"count\":0,\"name\":\"data.osquery.columns.interval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.interval\"}}},{\"count\":0,\"name\":\"data.osquery.columns.key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.key\"}}},{\"count\":0,\"name\":\"data.osquery.columns.last_executed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.last_executed\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.last_executed\"}}},{\"count\":0,\"name\":\"data.osquery.columns.match\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.match\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.match\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_free_perc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_free_perc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_free_perc\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_total\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_total\"}}},{\"count\":0,\"name\":\"data.osquery.columns.mode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.mode\"}}},{\"count\":0,\"name\":\"data.osquery.columns.mtime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.mtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.mtime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.name\"}}},{\"count\":0,\"name\":\"data.osquery.columns.offset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.offset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.offset\"}}},{\"count\":0,\"name\":\"data.osquery.columns.outiface\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.outiface\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.outiface\"}}},{\"count\":0,\"name\":\"data.osquery.columns.outiface_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.outiface_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.outiface_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.output_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.output_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.output_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.packets\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.packets\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.packets\"}}},{\"count\":0,\"name\":\"data.osquery.columns.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.path\"}}},{\"count\":0,\"name\":\"data.osquery.columns.permissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.permissions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.permissions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.pid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.pid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.policy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.policy\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.policy\"}}},{\"count\":0,\"name\":\"data.osquery.columns.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.protocol\"}}},{\"count\":0,\"name\":\"data.osquery.columns.pseudo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.pseudo\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.pseudo\"}}},{\"count\":0,\"name\":\"data.osquery.columns.resident_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.resident_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.resident_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.src_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.src_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.src_ip\"}}},{\"count\":0,\"name\":\"data.osquery.columns.src_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.src_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.src_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.start\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.start\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.start\"}}},{\"count\":0,\"name\":\"data.osquery.columns.start_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.start_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.start_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.system_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.system_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.system_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.target\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.target\"}}},{\"count\":0,\"name\":\"data.osquery.columns.threshold\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.threshold\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.threshold\"}}},{\"count\":0,\"name\":\"data.osquery.columns.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.tty\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.tty\"}}},{\"count\":0,\"name\":\"data.osquery.columns.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.type\"}}},{\"count\":0,\"name\":\"data.osquery.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.uid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.user_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.user_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.user_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.uuid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.value\"}}},{\"count\":0,\"name\":\"data.osquery.columns.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.version\"}}},{\"count\":0,\"name\":\"data.osquery.columns.wall_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.wall_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.wall_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.watcher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.watcher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.watcher\"}}},{\"count\":0,\"name\":\"data.osquery.counter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.counter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.counter\"}}},{\"count\":0,\"name\":\"data.osquery.epoch\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.epoch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.epoch\"}}},{\"count\":0,\"name\":\"data.osquery.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.name\"}}},{\"count\":0,\"name\":\"data.osquery.pack\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.pack\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.pack\"}}},{\"count\":0,\"name\":\"data.osquery.subquery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.subquery\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.subquery\"}}},{\"count\":0,\"name\":\"data.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.protocol\"}}},{\"count\":0,\"name\":\"data.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.scope\"}}},{\"count\":0,\"name\":\"data.srcip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcip\"}}},{\"count\":0,\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcport\"}}},{\"count\":0,\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"count\":0,\"name\":\"data.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.status\"}}},{\"count\":0,\"name\":\"data.system_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.system_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.system_name\"}}},{\"count\":0,\"name\":\"data.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.time\"}}},{\"count\":0,\"name\":\"data.timeNano\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.timeNano\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.timeNano\"}}},{\"count\":0,\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"count\":0,\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"count\":0,\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"count\":0,\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"count\":0,\"name\":\"data.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.url\"}}},{\"count\":0,\"name\":\"data.virustotal.found\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.found\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.found\"}}},{\"count\":0,\"name\":\"data.virustotal.malicious\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.virustotal.permalink\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.permalink\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.permalink\"}}},{\"count\":0,\"name\":\"data.virustotal.positives\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.positives\"}}},{\"count\":0,\"name\":\"data.virustotal.scan_date\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.virustotal.source.alert_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.alert_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.alert_id\"}}},{\"count\":0,\"name\":\"data.virustotal.source.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.file\"}}},{\"count\":0,\"name\":\"data.virustotal.source.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.md5\"}}},{\"count\":0,\"name\":\"data.virustotal.source.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.sha1\"}}},{\"count\":0,\"name\":\"data.virustotal.total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.total\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.total\"}}},{\"count\":0,\"name\":\"data.vulnerability.assigner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.assigner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.assigner\"}}},{\"count\":0,\"name\":\"data.vulnerability.bugzilla_references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.bugzilla_references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.bugzilla_references\"}}},{\"count\":0,\"name\":\"data.vulnerability.cve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cve\"}}},{\"count\":0,\"name\":\"data.vulnerability.cve_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cve_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cve_version\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.base_score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.base_score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.base_score\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.authentication\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.authentication\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.authentication\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.availability\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.availability\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.availability\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.base_score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.base_score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.base_score\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.availability\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.availability\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.availability\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.scope\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\"}}},{\"count\":0,\"name\":\"data.vulnerability.cwe_reference\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cwe_reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cwe_reference\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.architecture\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.condition\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.condition\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.condition\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.name\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.source\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.version\"}}},{\"count\":0,\"name\":\"data.vulnerability.published\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.vulnerability.rationale\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.rationale\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.rationale\"}}},{\"count\":0,\"name\":\"data.vulnerability.references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.references\"}}},{\"count\":0,\"name\":\"data.vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.severity\"}}},{\"count\":0,\"name\":\"data.vulnerability.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.state\"}}},{\"count\":0,\"name\":\"data.vulnerability.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.title\"}}},{\"count\":0,\"name\":\"data.vulnerability.updated\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.eventdata.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.authenticationPackageName\"}}},{\"count\":0,\"name\":\"data.win.eventdata.failureReason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.failureReason\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.failureReason\"}}},{\"count\":0,\"name\":\"data.win.eventdata.ipAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.ipAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.ipAddress\"}}},{\"count\":0,\"name\":\"data.win.eventdata.ipPort\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.ipPort\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.ipPort\"}}},{\"count\":0,\"name\":\"data.win.eventdata.keyLength\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.eventdata.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.logonProcessName\"}}},{\"count\":0,\"name\":\"data.win.eventdata.logonType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.logonType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.logonType\"}}},{\"count\":0,\"name\":\"data.win.eventdata.processId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.processId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.processId\"}}},{\"count\":0,\"name\":\"data.win.eventdata.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.status\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subStatus\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subStatus\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subjectLogonId\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subjectUserSid\"}}},{\"count\":0,\"name\":\"data.win.eventdata.targetUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.targetUserName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.targetUserName\"}}},{\"count\":0,\"name\":\"data.win.system.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.channel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.channel\"}}},{\"count\":0,\"name\":\"data.win.system.computer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.computer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.computer\"}}},{\"count\":0,\"name\":\"data.win.system.eventID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.eventID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.eventID\"}}},{\"count\":0,\"name\":\"data.win.system.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.eventRecordID\"}}},{\"count\":0,\"name\":\"data.win.systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.systems\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.systems\"}}},{\"count\":0,\"name\":\"data.win.system.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.level\"}}},{\"count\":0,\"name\":\"data.win.system.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.message\"}}},{\"count\":0,\"name\":\"data.win.system.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.opcode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.opcode\"}}},{\"count\":0,\"name\":\"data.win.system.processID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.processID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.processID\"}}},{\"count\":0,\"name\":\"data.win.system.providerGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.providerGuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.providerGuid\"}}},{\"count\":0,\"name\":\"data.win.system.providerName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.providerName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.providerName\"}}},{\"count\":0,\"name\":\"data.win.system.severityValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.severityValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.severityValue\"}}},{\"count\":0,\"name\":\"data.win.system.systemTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.system.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.task\"}}},{\"count\":0,\"name\":\"data.win.system.threadID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.threadID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.threadID\"}}},{\"count\":0,\"name\":\"data.win.system.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.version\"}}},{\"count\":0,\"name\":\"decoder.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"decoder.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"decoder.name\"}}},{\"count\":0,\"name\":\"decoder.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"decoder.parent\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"decoder.parent\"}}},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.original\"}}},{\"count\":0,\"name\":\"fields.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"full_log\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"full_log\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"full_log\"}}},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host\"}}},{\"count\":0,\"name\":\"id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"id\"}}},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"count\":0,\"name\":\"location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"location\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"location\"}}},{\"count\":0,\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"count\":0,\"name\":\"predecoder.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.hostname\"}}},{\"count\":0,\"name\":\"predecoder.program_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.program_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.program_name\"}}},{\"count\":0,\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.timestamp\"}}},{\"count\":0,\"name\":\"previous_output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"previous_output\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"previous_output\"}}},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.description\"}}},{\"count\":0,\"name\":\"rule.details.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.category\"}}},{\"count\":0,\"name\":\"rule.details.decoded_as\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.decoded_as\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.decoded_as\"}}},{\"count\":0,\"name\":\"rule.details.frequency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.frequency\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.frequency\"}}},{\"count\":0,\"name\":\"rule.details.group\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.group\"}}},{\"count\":0,\"name\":\"rule.details.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.hostname\"}}},{\"count\":0,\"name\":\"rule.details.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.id\"}}},{\"count\":0,\"name\":\"rule.details.if_fts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_fts\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_fts\"}}},{\"count\":0,\"name\":\"rule.details.if_matched_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_matched_sid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_matched_sid\"}}},{\"count\":0,\"name\":\"rule.details.if_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_sid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_sid\"}}},{\"count\":0,\"name\":\"rule.details.ignore\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.ignore\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.ignore\"}}},{\"count\":0,\"name\":\"rule.details.match\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.match\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.match\"}}},{\"count\":0,\"name\":\"rule.details.maxsize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.maxsize\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.maxsize\"}}},{\"count\":0,\"name\":\"rule.details.noalert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.noalert\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.noalert\"}}},{\"count\":0,\"name\":\"rule.details.regex\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.regex\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.regex\"}}},{\"count\":0,\"name\":\"rule.details.same_source_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.same_source_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.same_source_ip\"}}},{\"count\":0,\"name\":\"rule.details.timeframe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.timeframe\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.timeframe\"}}},{\"count\":0,\"name\":\"rule.details.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.user\"}}},{\"count\":0,\"name\":\"rule.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.filename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.filename\"}}},{\"count\":0,\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.frequency\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"count\":0,\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"count\":0,\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"count\":0,\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"count\":0,\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.info\"}}},{\"count\":0,\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.id\"}}},{\"count\":0,\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.tactic\"}}},{\"count\":0,\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.technique\"}}},{\"count\":0,\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"count\":0,\"name\":\"rule.pci\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.pci\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci\"}}},{\"count\":0,\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"count\":0,\"name\":\"rule.relative_dirname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.relative_dirname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.relative_dirname\"}}},{\"count\":0,\"name\":\"rule.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.status\"}}},{\"count\":0,\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.tsc\"}}},{\"count\":0,\"name\":\"syscheck.audit.effective_user.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.effective_user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.effective_user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.effective_user.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.group.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.group.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.group.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.process.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.process.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.process.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.user.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.user.name\"}}},{\"count\":0,\"name\":\"syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.changed_attributes\"}}},{\"count\":0,\"name\":\"syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.event\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.event\"}}},{\"count\":0,\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.gid_after\"}}},{\"count\":0,\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.gname_after\"}}},{\"count\":0,\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.md5_after\"}}},{\"count\":0,\"name\":\"syscheck.mtime_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.mtime_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.path\"}}},{\"count\":0,\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.perm_after\"}}},{\"count\":0,\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.sha1_after\"}}},{\"count\":0,\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.sha256_after\"}}},{\"count\":0,\"name\":\"syscheck.size_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.tags\"}}},{\"count\":0,\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.uid_after\"}}},{\"count\":0,\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.uname_after\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"count\":0,\"name\":\"timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x*"},"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events by source over time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events by source over time\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"cardinal\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"af813ab0-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sources","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sources\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"bf8f2f20-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.aws.source\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"06ecaf50-c74c-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzQsMV0="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"0924fcf8-b0d4-4f61-8f3a-da19850bc9d1\"},\"panelIndex\":\"0924fcf8-b0d4-4f61-8f3a-da19850bc9d1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"38fdffd3-ddbf-4d98-9904-877c98ecfa1b\"},\"panelIndex\":\"38fdffd3-ddbf-4d98-9904-877c98ecfa1b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"7930046b-8b17-4906-a0fe-ba2cc3ae9f15\"},\"panelIndex\":\"7930046b-8b17-4906-a0fe-ba2cc3ae9f15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"id":"d9881710-c74c-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"af813ab0-c74b-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"bf8f2f20-c74b-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"06ecaf50-c74c-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzUsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 5 events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top 5 events\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"6987a560-c74d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzYsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events by source over time - Docker","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events by source over time - Docker\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"ad3b5770-c74d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzcsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events - Docker","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events - Docker\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.type\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Actor.ID\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.actor.id\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.action\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"9\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"},"id":"199c8ce0-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzgsMV0="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"0d9f05f5-49cc-46cd-8855-b9540d3fa606\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"0d9f05f5-49cc-46cd-8855-b9540d3fa606\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a0d416d1-138e-41be-9576-79feedb9109b\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a0d416d1-138e-41be-9576-79feedb9109b\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"d1117074-306a-4615-94f2-3b60602cb5a7\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"d1117074-306a-4615-94f2-3b60602cb5a7\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"id":"38d43040-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"6987a560-c74d-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"ad3b5770-c74d-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"199c8ce0-c74e-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzksMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert groups","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert groups\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.groups\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"a8a6e5c0-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events - Incident response","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events - Incident response\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:audit\",\"language\":\"lucene\"},\"label\":\"audit\"},{\"input\":{\"query\":\"rule.groups:audit_command\",\"language\":\"lucene\"},\"label\":\"audit_command\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"52998510-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzExLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Incident response","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Incident response\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.groups\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.groups\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"a3b734b0-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEyLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3507da76-6874-4aa3-8968-3e0ddd11aa19\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"3507da76-6874-4aa3-8968-3e0ddd11aa19\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"b0a18b5d-447b-4e88-acd2-e14d22289a28\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"b0a18b5d-447b-4e88-acd2-e14d22289a28\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"05aa4c38-33a5-4fec-a35a-e0bb200679c1\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"05aa4c38-33a5-4fec-a35a-e0bb200679c1\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"id":"f70272b0-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"a8a6e5c0-c74e-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"52998510-c74f-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"a3b734b0-c74f-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Critical severity alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Critical severity alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Critical Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Critical\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"f578e750-c761-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"High Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"High Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"High Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:High\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"2f6e17a0-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Medium Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Medium Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Medium Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Medium\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"3e23cf10-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert severity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert severity\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"cardinal\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"6191a210-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Low Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Low Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Low Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Low\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greys\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60},\"outline\":true}}}"},"id":"456d3220-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Vulnerabilities heat map","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Vulnerabilities heat map\",\"type\":\"heatmap\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"heatmap\",\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Greens\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"overwriteColor\":false,\"color\":\"black\"}}]}}"},"id":"4458bf70-c763-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Vulnerabilities events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Vulnerabilities events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.cve\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.cve\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.package.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.package.name\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.package.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.package.version\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.severity\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"d38ba460-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIwLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"c4678c05-c58e-498f-9fb8-86b670931003\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"c4678c05-c58e-498f-9fb8-86b670931003\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"594ca739-c190-471b-b2b6-22e69c233d1b\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"594ca739-c190-471b-b2b6-22e69c233d1b\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"d01a6629-e443-49cf-91a3-c5638aff61bd\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"d01a6629-e443-49cf-91a3-c5638aff61bd\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"bd0de8bc-0485-449e-9855-59aedd50bc43\",\"w\":24,\"x\":0,\"y\":8},\"panelIndex\":\"bd0de8bc-0485-449e-9855-59aedd50bc43\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"c0bdf80f-5074-40b7-afe5-f08a5e9c3014\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"c0bdf80f-5074-40b7-afe5-f08a5e9c3014\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":15,\"i\":\"7fa7010e-6f7c-47ab-88dd-4bb2233779d0\",\"w\":24,\"x\":24,\"y\":8},\"panelIndex\":\"7fa7010e-6f7c-47ab-88dd-4bb2233779d0\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"hidePanelTitles\":false,\"title\":\"Events\"},\"gridData\":{\"h\":16,\"i\":\"75d0531f-26fe-4436-a32d-b043b362e701\",\"w\":48,\"x\":0,\"y\":23},\"panelIndex\":\"75d0531f-26fe-4436-a32d-b043b362e701\",\"title\":\"Events\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"id":"4e776290-c763-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"f578e750-c761-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"2f6e17a0-c762-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"3e23cf10-c762-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"},{"id":"6191a210-c762-11ed-a68b-6f8500ccee6f","name":"panel_3","type":"visualization"},{"id":"456d3220-c762-11ed-a68b-6f8500ccee6f","name":"panel_4","type":"visualization"},{"id":"4458bf70-c763-11ed-a68b-6f8500ccee6f","name":"panel_5","type":"visualization"},{"id":"d38ba460-c762-11ed-a68b-6f8500ccee6f","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total\"},\"schema\":\"metric\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"6e52b9a0-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Level 12 or above alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Level 12 or above alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Level 12 alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.level:[12 TO *]\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"vertical\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Yellow to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"53c84aa0-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Authentication failure","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Authentication failure\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Authentication failure\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:authentication_failed OR rule.groups:win_authentication_failed OR rule.groups:authentication_failures\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"bdd13830-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Authentication success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Authentication success\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Authentication success\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:authentication_success\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"fe649770-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert level evolution","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert level evolution\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"2911c5f0-c75d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top MITRE ATT&CKS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top MITRE ATT&CKS\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.technique\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"0ce036a0-c75d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security alerts main","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security alerts main\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.id\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.tactic\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.tactic\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"9\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"8d9dc120-c75f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI4LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"e44a9c01-a2c9-438b-a154-96371c1e2891\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"e44a9c01-a2c9-438b-a154-96371c1e2891\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"097d0314-72ee-4cfb-8a0b-b5a61fd76065\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"097d0314-72ee-4cfb-8a0b-b5a61fd76065\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"1e0deab6-69be-4a8b-8945-9e52bc285425\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"1e0deab6-69be-4a8b-8945-9e52bc285425\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_2\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"54fc31bf-4bf5-4433-be5e-cd4c60862cea\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"54fc31bf-4bf5-4433-be5e-cd4c60862cea\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_3\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":14,\"i\":\"7ed5bb88-5819-4b2b-8989-8e8a7cc0424e\",\"w\":32,\"x\":0,\"y\":7},\"panelIndex\":\"7ed5bb88-5819-4b2b-8989-8e8a7cc0424e\",\"embeddableConfig\":{\"title\":\"Alert level evolution - Top 5 agents\",\"hidePanelTitles\":false},\"title\":\"Alert level evolution - Top 5 agents\",\"panelRefName\":\"panel_4\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":14,\"i\":\"fd99c43a-4b02-47b8-b89f-9e1aaf56d158\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"fd99c43a-4b02-47b8-b89f-9e1aaf56d158\",\"embeddableConfig\":{\"title\":\"Top Mitre ATT&K tactics\",\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\",\"panelRefName\":\"panel_5\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":18,\"i\":\"a30fe8ed-edb1-4531-9735-7e5fe8dfb61b\",\"w\":48,\"x\":0,\"y\":21},\"panelIndex\":\"a30fe8ed-edb1-4531-9735-7e5fe8dfb61b\",\"embeddableConfig\":{\"title\":\"Security alerts\",\"hidePanelTitles\":false},\"title\":\"Security alerts\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"id":"a22b3850-c761-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"6e52b9a0-c75b-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"53c84aa0-c75b-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"bdd13830-c75b-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"},{"id":"fe649770-c75b-11ed-a68b-6f8500ccee6f","name":"panel_3","type":"visualization"},{"id":"2911c5f0-c75d-11ed-a68b-6f8500ccee6f","name":"panel_4","type":"visualization"},{"id":"0ce036a0-c75d-11ed-a68b-6f8500ccee6f","name":"panel_5","type":"visualization"},{"id":"8d9dc120-c75f-11ed-a68b-6f8500ccee6f","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Emotet malware activity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Emotet malware activity\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:\\\"rootcheck\\\"\",\"language\":\"kuery\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"setYExtents\":false,\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"432de3c0-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Rootkits activity over time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Rootkits activity over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.title\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":3,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"a7146210-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security alerts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.technique\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.tactic\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.tactic\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"eb787860-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMyLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4653581e-fa04-47ea-a762-e404e5fab8d1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"4653581e-fa04-47ea-a762-e404e5fab8d1\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"0b6caedd-1e6e-4a5d-8904-13343c868083\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"0b6caedd-1e6e-4a5d-8904-13343c868083\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"ad008586-6a43-4c7b-8a41-93a85d40ee6f\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"ad008586-6a43-4c7b-8a41-93a85d40ee6f\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"id":"f5c5a590-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"432de3c0-c752-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"a7146210-c752-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"eb787860-c752-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"PCI DSS requirements","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PCI DSS requirements\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"radius\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":false,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"radiusRatio\":50}}"},"id":"e9144240-c755-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Requirements by agent","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Requirements by agent\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requirements\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"300f7e30-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Recent events - PCI DSS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Recent events - PCI DSS\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.pci_dss\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"767e3190-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM2LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"c9e8317f-c49c-4dbc-ae0b-8a7ad4e29f01\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c9e8317f-c49c-4dbc-ae0b-8a7ad4e29f01\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"910f3189-2b70-402b-a1b6-92192307122f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"910f3189-2b70-402b-a1b6-92192307122f\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":17,\"i\":\"7e59bccf-af12-4898-8165-ef9ff2bec6de\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"7e59bccf-af12-4898-8165-ef9ff2bec6de\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"id":"7f10dd80-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"e9144240-c755-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"300f7e30-c756-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"767e3190-c756-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM3LDFd"} +{"exportedCount":37,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/integrations/external/extra/sample_alerts/changeDate.py b/integrations/external/extra/sample_alerts/changeDate.py new file mode 100644 index 0000000000000..6a89307c86176 --- /dev/null +++ b/integrations/external/extra/sample_alerts/changeDate.py @@ -0,0 +1,18 @@ +import datetime +import random +def random_date(start,end,prop): + ptime = start + prop * (end - start) + return ptime + +current_time = datetime.datetime.now() +seven_days_before = datetime.datetime.now() - datetime.timedelta(days=7) +file = 'sample.json' +destination='/var/ossec/logs/alerts/sample_alerts.json' +with open(file,'r') as f: + newlines = [] + for line in f.readlines(): + result = str(random_date(seven_days_before,current_time,random.random()).strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3])+'+0000' + newlines.append(line.replace('dateToChange',result)) +with open(destination,'w') as f: + for line in newlines: + f.write(line) diff --git a/integrations/external/extra/sample_alerts/sample.json b/integrations/external/extra/sample_alerts/sample.json new file mode 100644 index 0000000000000..7cb5af437ccce --- /dev/null +++ b/integrations/external/extra/sample_alerts/sample.json @@ -0,0 +1,19000 @@ +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T17:52:50.390Z","size_after":38,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":23315}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T00:27:33.061Z","size_after":18,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":25973,"mtime_before":"2023-03-06T00:26:33.061Z","inode_before":81839,"sha1_after":"42b103c8ccf0f552e931159fdccf2072f1444842","changed_attributes":["sha1"],"md5_after":"896a6493ad8dd456f9a9d919d9c74a5e","sha256_after":"6cadaacded787afb101f14c9b404daed8c8800f19199a31024ce91ea1f26"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T06:38:30.327Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":27089}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T15:35:43.101Z","size_after":47,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":94411}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T17:26:43.070Z","size_after":52,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":3757}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T07:02:03.366Z","size_after":42,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":26770,"tags":["tmp"],"sha1_after":"df3a71b04cbc8d8576528e45a88c0e6748632562","audit":{"process":{"name":"/etc/sample","id":67801,"ppid":59733},"effective_user":{"name":"wazuh","id":30},"user":{"name":"ec2-user","id":67},"group":{"name":"root","id":89}},"md5_after":"1458d9e7fd5767d3da80e9b7cea80d39","sha256_after":"d06f6aaf934ef92b402bc8a17c1952106a3f1282ebbbdcac01c267207f4d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T11:35:13.171Z","size_after":58,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":78734,"tags":["tmp"],"sha1_after":"15de34978161a926f89348b0e973d1d7119b80d5","audit":{"process":{"name":"/etc/sample","id":83100,"ppid":55737},"effective_user":{"name":"ec2-user","id":26},"user":{"name":"NETWORK Service","id":69},"group":{"name":"Administrators","id":28}},"md5_after":"b4e21b175b97f6adbc33bb6dfe329f66","sha256_after":"3b0748c7102b29456fa6391ab54ef758e83b39e9e02838051deb6a77ca39"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T19:13:25.114Z","size_after":16,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":90922}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T21:07:25.826Z","size_after":19,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":33901}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T05:52:30.741Z","size_after":51,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":67239,"mtime_before":"2023-03-04T05:51:30.741Z","inode_before":71369,"sha1_after":"49c5fd09f97478c3d158d4b2c5730f88ba1f5658","changed_attributes":["size"],"md5_after":"b4f6c9ae779fff01a8394a453e6dfcee","sha256_after":"283a9a0c47b1501210111b15f321a90d32fe3a9f07ce0a84d0de150bc3e6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T07:26:34.693Z","size_after":59,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":13357,"tags":["tmp"],"sha1_after":"8e0701a0f768bafdb69c034b85deb0c8153c63ff","audit":{"process":{"name":"/tmp/sample","id":80001,"ppid":46110},"effective_user":{"name":"LOCAL Service","id":36},"user":{"name":"suricata","id":76},"group":{"name":"NETWORK Service","id":24}},"md5_after":"ba72dcb61c068c721d5b4966bef44cb8","sha256_after":"c194dbbf9bf2c40cfead38729693efe7c89a3b900fd52f5327264356929e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T20:03:40.236Z","size_after":61,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":70784,"mtime_before":"2023-03-02T20:02:40.236Z","inode_before":16923,"sha1_after":"38ca3d1f014d7f654473ddccb76119450d2ddc9a","changed_attributes":["tmp"],"md5_after":"00c6b046b6637ad1cb3d823d3143bd29","sha256_after":"fea09b433f8e71c448e7fb908852f5d3a5d6176b2987b6aaafd59e0fcdb7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T15:51:44.197Z","size_after":43,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":30328}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T10:57:43.943Z","size_after":45,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":27349}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T23:31:05.359Z","size_after":0,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":43646,"tags":["tmp"],"sha1_after":"67d896ca57a01dc3b2b93890dbb043f5ec708146","audit":{"process":{"name":"/home/user/sample","id":91864,"ppid":94467},"effective_user":{"name":"wazuh","id":74},"user":{"name":"SYSTEM","id":19},"group":{"name":"suricata","id":11}},"md5_after":"ed21c19b8aaa81d9a26221622142cd30","sha256_after":"0738a7568c83c8e20933c3f55c70a0e9a039ecbd08cd90c703d15b226952"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T22:02:46.148Z","size_after":10,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":47384,"mtime_before":"2023-03-02T22:01:46.148Z","inode_before":93521,"sha1_after":"884e74b7291ced7891ceeb9073b3c6f447abf66e","changed_attributes":["size"],"md5_after":"520fe5675c03e05be395825094201c54","sha256_after":"d6bb049f5853ad6c364864fd08ff2e24705eb940998818f32e1613180300"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T06:20:52.412Z","size_after":57,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":2119}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T17:56:45.325Z","size_after":65,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":10134}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T21:39:18.371Z","size_after":38,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":49725}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T15:37:13.299Z","size_after":24,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":4653,"tags":["tmp"],"sha1_after":"df6a16e85136ea0c228762ea7b6ac370b040e85e","audit":{"process":{"name":"/etc/sample","id":24227,"ppid":607},"effective_user":{"name":"LOCAL Service","id":89},"user":{"name":"SYSTEM","id":85},"group":{"name":"Administrators","id":16}},"md5_after":"074b42564f024390fb410da4a48cb09b","sha256_after":"81104a744a04cf58e3b187831aee0d0cb8c92be5fc4c5c6cbe7bd3d0bdaa"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T00:17:39.575Z","size_after":50,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":38518,"tags":["tmp"],"sha1_after":"5eebbfce74c2d6644611ee26b582f8cb483d2362","audit":{"process":{"name":"/etc/sample","id":29794,"ppid":54122},"effective_user":{"name":"Administrators","id":87},"user":{"name":"NETWORK Service","id":37},"group":{"name":"NETWORK Service","id":98}},"md5_after":"bf44dfd3f4f05b4da7be2063c5a9b0bf","sha256_after":"63683b9007400187e5672eae43cbf928d407ca75b86060c706bfc9ed0f0f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T00:22:47.314Z","size_after":53,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":32445,"tags":["tmp"],"sha1_after":"c98984e8fd54e1a6eb9606038021b01fbfa99be9","audit":{"process":{"name":"/etc/sample","id":82843,"ppid":50812},"effective_user":{"name":"LOCAL Service","id":77},"user":{"name":"suricata","id":14},"group":{"name":"root","id":55}},"md5_after":"8daf0292f7969fcb2a64fe2eb55acb6c","sha256_after":"2430e1c325ebcc8c73d45264e0558acc32d6f1daff358f51dc6e0a2db0df"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T12:03:30.696Z","size_after":26,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":64309}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T08:08:20.783Z","size_after":10,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":98334,"tags":["tmp"],"sha1_after":"8c6c23ebb4bd315af74e087be23119ed93fc0fc3","audit":{"process":{"name":"/etc/sample","id":18575,"ppid":29737},"effective_user":{"name":"Administrators","id":22},"user":{"name":"LOCAL Service","id":46},"group":{"name":"suricata","id":56}},"md5_after":"825caa705bbef3bb2044b377d5fcf4c4","sha256_after":"0693bb588e2b50d865addd2fbcb7b18ed32fd33ee0068209c4faec6d7e37"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T05:29:56.167Z","size_after":22,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":6376,"mtime_before":"2023-03-04T05:28:56.167Z","inode_before":20468,"sha1_after":"928f203dea9c62b924444c3e6b5aef89cfec4ce0","changed_attributes":["mtime"],"md5_after":"f100ae49d87fbbfa876145d09c547bcc","sha256_after":"874365449d0d5c6fe4f04a65c26bac2a5a9353a05a547d78c171af8de3b8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T23:20:46.176Z","size_after":62,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":99814,"tags":["tmp"],"sha1_after":"3bc322d7d370968cfe923d94b749a452414e128e","audit":{"process":{"name":"/tmp/sample","id":80938,"ppid":49744},"effective_user":{"name":"LOCAL Service","id":66},"user":{"name":"LOCAL Service","id":92},"group":{"name":"ec2-user","id":60}},"md5_after":"dee9f82d38bbe02db1efb604ad3d3b2e","sha256_after":"5c832cdf6cc659c1a534d3d46360f07b2969cf45df395a69c15da8db4403"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T01:08:44.778Z","size_after":20,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":94613,"mtime_before":"2023-03-05T01:07:44.778Z","inode_before":42736,"sha1_after":"e3e18361ac4e2b8302bf3f6694ce5da60c06bf72","changed_attributes":["size"],"md5_after":"2cbd3f5b4fe73bb21499bebc2950f759","sha256_after":"f88749c99c04e6ca3fb93579a75801816dc5625cde1bffd9bd4b58cce0a1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T15:51:07.029Z","size_after":49,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":84250,"tags":["tmp"],"sha1_after":"a5f20795f9eddae94e4a935546280db59e8d93c8","audit":{"process":{"name":"/etc/sample","id":26692,"ppid":61685},"effective_user":{"name":"wazuh","id":24},"user":{"name":"LOCAL Service","id":7},"group":{"name":"wazuh","id":15}},"md5_after":"197508d97908ef730dd216054da2f314","sha256_after":"e89eba133306a86fcc10903e17c52000d37a956751165224158134c75c80"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T13:06:02.431Z","size_after":17,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":35521}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T05:00:25.267Z","size_after":25,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":42471,"tags":["tmp"],"sha1_after":"935dd9e5bfd03f6e098167f63851d8441d8f1e92","audit":{"process":{"name":"/home/user/sample","id":81018,"ppid":56832},"effective_user":{"name":"ec2-user","id":78},"user":{"name":"LOCAL Service","id":91},"group":{"name":"NETWORK Service","id":57}},"md5_after":"c567bab5bd80bacb7c645ea2d69fc049","sha256_after":"056b02d8067fe0c1e9fb419ddfbe6f21c03b20e1066307066cca96b724df"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T01:09:42.304Z","size_after":8,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":3645}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T11:41:53.517Z","size_after":1,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":9437,"mtime_before":"2023-03-04T11:40:53.517Z","inode_before":4471,"sha1_after":"d01c37036c5557db814e5bd1f85aff2dc8a279f2","changed_attributes":["md5"],"md5_after":"eff0f5c5409940b14b1c5e27bac1b815","sha256_after":"7c61f173f8d7d5f7055b53cc93503a7552d3db214807d1ab3cddbf26f48a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T22:10:59.166Z","size_after":47,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":18177,"mtime_before":"2023-03-01T22:09:59.166Z","inode_before":13068,"sha1_after":"3e1cc0335dac9992843fd7fd1b6d5b732b4f0ca1","changed_attributes":["md5"],"md5_after":"c6f0bd4430125e4fd0fde1ee0083dab6","sha256_after":"817dee9ef05ac8347e55b64f144a0967d6ef383dab47ac10f54c6fe324e9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T00:50:50.067Z","size_after":14,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":29079}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T06:32:14.298Z","size_after":3,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":73240,"mtime_before":"2023-03-04T06:31:14.298Z","inode_before":51564,"sha1_after":"6464f041487e7c986f2f8bec4a30a1830737d83a","changed_attributes":["sha1"],"md5_after":"d9121708e4fe30269d73b61817a28540","sha256_after":"a6cbcb0dc5496679fbb1abe2791d239e068baf2db722e335fa2ec566c29c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T00:09:27.607Z","size_after":38,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":58023,"tags":["tmp"],"sha1_after":"7f2b8876f043007440cac647efb667b29aa0ea73","audit":{"process":{"name":"/etc/sample","id":55925,"ppid":47433},"effective_user":{"name":"wazuh","id":63},"user":{"name":"Administrators","id":63},"group":{"name":"wazuh","id":3}},"md5_after":"1b5ca48f8c7d53757341107d290a9d99","sha256_after":"1a3be2beeecc0a0aa9ed1110d4a90c2155a2848e8c31bb5abb5f7bf5921d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T21:51:58.896Z","size_after":24,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":26900,"tags":["tmp"],"sha1_after":"52e36644b2b123b26326a1889f4b265935364553","audit":{"process":{"name":"/tmp/sample","id":68845,"ppid":58369},"effective_user":{"name":"suricata","id":75},"user":{"name":"wazuh","id":17},"group":{"name":"SYSTEM","id":71}},"md5_after":"5dc0bb0f3abc1c52cc3b0a7f9cab3a09","sha256_after":"407a6a05d95bf14b3571dce7f0360b23421927555f6fca7d88b1f5f6edd3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T06:58:35.021Z","size_after":5,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":35983}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T12:34:07.767Z","size_after":21,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":39985}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T15:50:01.657Z","size_after":19,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":12355,"tags":["tmp"],"sha1_after":"c06d13217e76d55e547f41848f2b6c8ff9455a83","audit":{"process":{"name":"/tmp/sample","id":36859,"ppid":98206},"effective_user":{"name":"LOCAL Service","id":17},"user":{"name":"root","id":14},"group":{"name":"root","id":9}},"md5_after":"ac603ec669c4195974a56ce1a176c509","sha256_after":"b1347367098c113138b72092374ef43013f8d3ce65cd24b4c5ff619e24b5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T14:10:59.076Z","size_after":22,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":1500}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T11:48:34.815Z","size_after":24,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":29863}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T16:15:42.440Z","size_after":62,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":3975,"mtime_before":"2023-03-03T16:14:42.440Z","inode_before":14503,"sha1_after":"3ef1e8c9a8da390062edc975140cbaf1bbe46e15","changed_attributes":["sha1"],"md5_after":"191602a54f00b200898ae87ed5d8d278","sha256_after":"15457fae36e73c7212699426b3aa43b0db38a820d40de94ebeadedaadc5d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T22:22:37.599Z","size_after":24,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":89665,"tags":["tmp"],"sha1_after":"2abf324836e6f288d4d66ecd3b8a305efdf2c343","audit":{"process":{"name":"/tmp/sample","id":53784,"ppid":48160},"effective_user":{"name":"LOCAL Service","id":8},"user":{"name":"LOCAL Service","id":68},"group":{"name":"wazuh","id":26}},"md5_after":"d7f640176685a1a964338bf6b0cecb7b","sha256_after":"e88e5cbd9a63262d8cfbf19f5a70fc9f7e063886e6e5f129ffbbfad8341f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T23:32:16.099Z","size_after":48,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":11899}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T16:25:58.236Z","size_after":30,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":61109,"mtime_before":"2023-03-07T16:24:58.236Z","inode_before":59780,"sha1_after":"c10a875c63e7a0c50af9651d5493d50dedfd8b66","changed_attributes":["mtime"],"md5_after":"4d9c33c0915d6c3dc00ca716ab686033","sha256_after":"da689c8d2b862191ab4582e5e31da49dc15184dae99fefe01e6f4a57067c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T18:05:18.090Z","size_after":2,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":54788,"tags":["tmp"],"sha1_after":"4c3458088a534673924cbdcd2ce5aa9ec764664e","audit":{"process":{"name":"/etc/sample","id":72117,"ppid":38408},"effective_user":{"name":"wazuh","id":19},"user":{"name":"NETWORK Service","id":2},"group":{"name":"root","id":98}},"md5_after":"6d1b967d391335be81299eef75498c16","sha256_after":"f0f5728bb7ef7a258661121a37d7c4136dc9870a5b6283470834d9334707"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T10:32:40.126Z","size_after":23,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":13548,"tags":["tmp"],"sha1_after":"9b64b1ead0b7a21cdf34e0eda030d0d9da0cbfb4","audit":{"process":{"name":"/home/user/sample","id":42441,"ppid":74398},"effective_user":{"name":"wazuh","id":100},"user":{"name":"SYSTEM","id":82},"group":{"name":"suricata","id":30}},"md5_after":"7dc3d4c746f1c3e85a178ca3a4495399","sha256_after":"2736d7cb09a6dd6b0d05171edca4ccd171e1b8374d1f0bd4bd269756b016"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T10:53:05.740Z","size_after":7,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":25679}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T03:14:29.496Z","size_after":36,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":96807}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T11:45:56.461Z","size_after":15,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":66912,"tags":["tmp"],"sha1_after":"65d4261b5eb86105214f214322097a3928d3e21a","audit":{"process":{"name":"/etc/sample","id":76804,"ppid":38521},"effective_user":{"name":"LOCAL Service","id":83},"user":{"name":"NETWORK Service","id":30},"group":{"name":"ec2-user","id":76}},"md5_after":"18f3169f3c216e470bd3589d39db5ffb","sha256_after":"6ce8487d70d2d48600b4bb7dcc0651d2a3f00179fc25fe8841cc638c1d97"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T02:01:17.315Z","size_after":32,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":77985,"mtime_before":"2023-03-03T02:00:17.315Z","inode_before":65707,"sha1_after":"e4cfad2aed15efb1c7b60ebf61dff04b353cced4","changed_attributes":["tmp"],"md5_after":"74808bbdccd52b41a182ac1784c2131c","sha256_after":"9a5460643179307b402ee97157410fda297747ff6df8dcf5d6c4c2513d8e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T12:12:35.613Z","size_after":43,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":92296,"tags":["tmp"],"sha1_after":"9612bd61cefa6c0b4aa853822f4d29a6f637ec18","audit":{"process":{"name":"/etc/sample","id":20892,"ppid":8461},"effective_user":{"name":"Administrators","id":70},"user":{"name":"ec2-user","id":97},"group":{"name":"wazuh","id":99}},"md5_after":"a9ed50ea9c94f5e4d2639a0b3ccd6bae","sha256_after":"2fc57a5f0ab35ed9ad36229afdff7d1eca3bf77dcd2210ccb92556bc7e03"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T14:15:42.847Z","size_after":12,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":45368,"mtime_before":"2023-03-02T14:14:42.847Z","inode_before":12454,"sha1_after":"1ecba684f504999b1fb6f8cd6ee131732ea82088","changed_attributes":["tmp"],"md5_after":"577e019adcdb272cf799f1beab1f51a9","sha256_after":"eb0de09338a40ae632f3ccea9671521c40f16012db2b20aed13bcc5e099b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T13:19:17.330Z","size_after":45,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":97281,"tags":["tmp"],"sha1_after":"dfd3a589b12c1aea2014e82464aeecb7fa29ed1d","audit":{"process":{"name":"/home/user/sample","id":53207,"ppid":10087},"effective_user":{"name":"suricata","id":86},"user":{"name":"suricata","id":64},"group":{"name":"wazuh","id":54}},"md5_after":"110315052907d69c37eb6e844404f58b","sha256_after":"1debf8da8cff236b43597026f097e38c55efc3fab985e707a5096df6994c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T00:33:37.831Z","size_after":3,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":20493}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T15:37:38.295Z","size_after":13,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":67847,"mtime_before":"2023-03-05T15:36:38.295Z","inode_before":61898,"sha1_after":"45fa4e5ba1961e6892983e7e0dbf499c0de3f0c9","changed_attributes":["tmp"],"md5_after":"b4c75c4799b86d69599724db28726693","sha256_after":"ab53d6099d6963d03ada6664feedbd2bc35425c6ec8aeac2845dcc867242"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T02:52:18.461Z","size_after":54,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":88092}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T19:40:31.713Z","size_after":10,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":22987,"mtime_before":"2023-03-02T19:39:31.713Z","inode_before":67071,"sha1_after":"653a7e99c699c744bd187af9d398c4c724167c70","changed_attributes":["md5"],"md5_after":"ddfa4250e1a62efaa4c5c7b171a35983","sha256_after":"372768f31e922b57af45b275606e110ce79d705ba741aa073d79da9178b2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T06:19:07.806Z","size_after":55,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":71295,"tags":["tmp"],"sha1_after":"575a011c8e0d300a9678480dd1e4dc6ee700a4ea","audit":{"process":{"name":"/home/user/sample","id":15154,"ppid":1526},"effective_user":{"name":"Administrators","id":49},"user":{"name":"SYSTEM","id":1},"group":{"name":"LOCAL Service","id":29}},"md5_after":"6f0d99834212afded6db5e47edda25dc","sha256_after":"c8e540238e0aab7ece8c61ebf80e2305ad279f90e7c813a1a11d402d2781"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T15:42:01.503Z","size_after":40,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":74828,"tags":["tmp"],"sha1_after":"51d636cab9a5b6f7e075e1f72359a73b86081f64","audit":{"process":{"name":"/etc/sample","id":18433,"ppid":24885},"effective_user":{"name":"wazuh","id":27},"user":{"name":"SYSTEM","id":53},"group":{"name":"wazuh","id":81}},"md5_after":"f6731b72d29763de737b7bea9052faaa","sha256_after":"e3ad7ae50a1eac39cc95e9e4b8ecafb27cfe45d90ac3f6bafe31614ba52d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T08:26:15.594Z","size_after":44,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":19849,"tags":["tmp"],"sha1_after":"e921eb3843804616715f296f5679d2d2c2a14c19","audit":{"process":{"name":"/tmp/sample","id":68611,"ppid":83104},"effective_user":{"name":"wazuh","id":15},"user":{"name":"LOCAL Service","id":15},"group":{"name":"root","id":40}},"md5_after":"4ad3dfe1b8c0f999f8ddb8f5f7406ad8","sha256_after":"1a33afc52f0c7e2ecf26f9909fb8f40b5e84528c7839bffa13a21ae971ce"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-08T09:52:18.909Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":69003,"mtime_before":"2023-03-08T09:51:18.909Z","inode_before":80123,"sha1_after":"685c818c976aac91071629a09a053d4985265295","changed_attributes":["sha1"],"md5_after":"42a957d3413e445009247204d38c0577","sha256_after":"dab03257d777f8cdcef93fb8b010c7995f9db3f9d0652ae41c4fb53317c8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T20:59:32.534Z","size_after":27,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":5690,"tags":["tmp"],"sha1_after":"621f63194b971f75383bbda79c9c590778600fe9","audit":{"process":{"name":"/etc/sample","id":8853,"ppid":50228},"effective_user":{"name":"ec2-user","id":63},"user":{"name":"LOCAL Service","id":94},"group":{"name":"LOCAL Service","id":79}},"md5_after":"2c13a7b1387cf414b28d80078eb1f497","sha256_after":"b8830918f169f0945954b5d81dd0721dab87a21feb82930c0bd03078fd1b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T11:07:26.459Z","size_after":9,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":9940}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T12:24:35.913Z","size_after":46,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":50827,"tags":["tmp"],"sha1_after":"9d8f1446f22f273250cb4cec0de8c75f4b2b879e","audit":{"process":{"name":"/tmp/sample","id":97019,"ppid":67154},"effective_user":{"name":"root","id":34},"user":{"name":"Administrators","id":53},"group":{"name":"Administrators","id":26}},"md5_after":"e061d9f3c8d5013694986f1c626a3415","sha256_after":"97020273d1db55e9ad0e827613aa61c0d891f4b4258697e677580b928fd1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T11:13:27.593Z","size_after":2,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":83365}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T02:24:59.548Z","size_after":3,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":53365,"mtime_before":"2023-03-06T02:23:59.548Z","inode_before":67726,"sha1_after":"abdafbff837881412a332f79ce25c264782b3445","changed_attributes":["sha256"],"md5_after":"f5b56b9c02d6fdcdbca727e2d15f2715","sha256_after":"9549ff67d921c5d8696a376d31c9af4218dcb93777c55ff5309138807599"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T03:26:25.206Z","size_after":65,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":92449,"tags":["tmp"],"sha1_after":"00f8db78422e3713ce1a6fbf4b86b1f1d7fe3077","audit":{"process":{"name":"/home/user/sample","id":61274,"ppid":92285},"effective_user":{"name":"wazuh","id":85},"user":{"name":"wazuh","id":68},"group":{"name":"root","id":88}},"md5_after":"1f7969b9144b9ea68aa1b054dc56b528","sha256_after":"b3ba0f7031af287849dd7f87bcf8b53a6a7c1bf8c540ce3083343f3af453"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T05:39:58.736Z","size_after":40,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":42228,"mtime_before":"2023-03-03T05:38:58.736Z","inode_before":14448,"sha1_after":"7e16e658ca9ee0d11a2d31caab209d6d066ee3eb","changed_attributes":["sha256"],"md5_after":"629217f7d8e2eeca8c221ab334322c78","sha256_after":"687447bbf411b6e5506f002b2ae9e2f735bb6974693a05f34b50b0b68459"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T15:24:34.553Z","size_after":24,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":55557,"mtime_before":"2023-03-05T15:23:34.553Z","inode_before":99249,"sha1_after":"32137f3b6261d1072e8d55fddae102dc1207cad7","changed_attributes":["tmp"],"md5_after":"de8d0f9d786ae261e909a80e41162a4c","sha256_after":"410e1fa5ef2ae6b959bb53f6eaaf2ce62bfeeb3dbf777e2d68a2c871adc6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T23:15:34.108Z","size_after":11,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":30436,"mtime_before":"2023-03-07T23:14:34.108Z","inode_before":19237,"sha1_after":"0babdb614e6c3bc5ff403d75a33335fc1269242d","changed_attributes":["tmp"],"md5_after":"8763419e942d3b1f14d68f6698cea2fd","sha256_after":"4c7f6f94a10a6fa7767bf4148f65f78e7b386726abe47de6ed2e889a028d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T21:37:07.578Z","size_after":20,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":28602}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T14:41:29.622Z","size_after":14,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":84940}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T08:18:37.790Z","size_after":61,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":44788}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T21:04:19.186Z","size_after":43,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":55212,"mtime_before":"2023-03-03T21:03:19.186Z","inode_before":49577,"sha1_after":"28340da76338e0a2f9f626f0ad28586a4efe8182","changed_attributes":["mtime"],"md5_after":"dd6f9bdb9c8acce26e3957d4fa0ab7bd","sha256_after":"014ac0b6cc9bf3e99d9802b48ba0c38ddf60cb797929a1cc76947a7406bf"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T09:48:59.772Z","size_after":14,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":29531,"tags":["tmp"],"sha1_after":"4c33f31a3d0cd274b64f0a44bdd54097bd66e62d","audit":{"process":{"name":"/tmp/sample","id":22846,"ppid":95278},"effective_user":{"name":"NETWORK Service","id":75},"user":{"name":"wazuh","id":35},"group":{"name":"ec2-user","id":39}},"md5_after":"b5e180acca76e3f5b16332890605e5d0","sha256_after":"70679293a4f516bdf3ebf8b90b3f7a869a0a9c226b27cd8672d7873b6bd8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-08T10:15:48.114Z","size_after":10,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":15481}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T16:23:32.523Z","size_after":26,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":42063,"mtime_before":"2023-03-07T16:22:32.523Z","inode_before":57646,"sha1_after":"2044006445bc956ab776b45a5b3f967d8115726b","changed_attributes":["md5"],"md5_after":"4f2d82ebb7caf7aee2613fd170076863","sha256_after":"f0acb3c3337899d47ab1f34eef45eb7ead8c0cf1d3983d42829bb3fe2abe"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T12:53:47.507Z","size_after":62,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":36263}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T10:58:42.661Z","size_after":55,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":93462,"tags":["tmp"],"sha1_after":"2da9edda6468053e8ed1d7565a199b65cf12d950","audit":{"process":{"name":"/etc/sample","id":33615,"ppid":95756},"effective_user":{"name":"SYSTEM","id":57},"user":{"name":"SYSTEM","id":14},"group":{"name":"LOCAL Service","id":5}},"md5_after":"9a49347a7aeae15821bf02e5d270f3dd","sha256_after":"7a8a90471aa6de7b89eee45d20397c86295a613ce96c6a78786dc27860e0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T17:10:34.927Z","size_after":43,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":7333}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T06:59:59.632Z","size_after":43,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":77859,"mtime_before":"2023-03-04T06:58:59.632Z","inode_before":54368,"sha1_after":"46339bb2a3691c7a2bc6ff06d1c8b4b44b99c0a5","changed_attributes":["size"],"md5_after":"efa66bdb54e31af2ad8480f86f4c560e","sha256_after":"1acba97c1431b4d9552eb3c739c98c08c406196873a077370aa6022e6c04"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T23:36:00.439Z","size_after":33,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":72757,"mtime_before":"2023-03-03T23:35:00.439Z","inode_before":57962,"sha1_after":"3a5ed13a0e232bc5981555d90d5e888ac4224544","changed_attributes":["mtime"],"md5_after":"0707ef466d2025f5fe0ade2f2372d312","sha256_after":"81c59cdbf302a20a5798f8975b1d7180ffacd1f4eeb58614a15d26dfe66f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T04:44:56.337Z","size_after":29,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":66792,"mtime_before":"2023-03-03T04:43:56.337Z","inode_before":34264,"sha1_after":"704f6588d9d2ff09bb6e5b2017243f4d0b9e32d8","changed_attributes":["inode"],"md5_after":"b3ff6ec13ce55682b0e8d43fc1d8ed44","sha256_after":"15cf242580ea13aee4d1795c1509f05cf64ef968eefa78a0bd399cd645a1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T06:30:57.916Z","size_after":21,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":52916}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T03:23:01.253Z","size_after":33,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":25653,"tags":["tmp"],"sha1_after":"80276f413d0885566502667f450c375d4ce07fe8","audit":{"process":{"name":"/etc/sample","id":62730,"ppid":51710},"effective_user":{"name":"LOCAL Service","id":0},"user":{"name":"suricata","id":97},"group":{"name":"NETWORK Service","id":19}},"md5_after":"9d4a9902d2de17d2398bd0b896d8e855","sha256_after":"af02a64d96273079ba3333cd2f4d43921dd8d2c565d4efab57aad1d8200f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T15:37:18.322Z","size_after":16,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":24849,"mtime_before":"2023-03-03T15:36:18.322Z","inode_before":81413,"sha1_after":"ecd8f69c87153d44c3512365643e44824bcbcf04","changed_attributes":["inode"],"md5_after":"dc987e6245dfdc0ecdbdb20bcbfc08a5","sha256_after":"e428ca7b29072809987c89cf2d34ac4017009b8f9ad242a499d1d1f3440c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T17:56:17.575Z","size_after":29,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":81791,"tags":["tmp"],"sha1_after":"9592ed21e8a78d7d73a09fc6afbaf8a46837c136","audit":{"process":{"name":"/etc/sample","id":93303,"ppid":53003},"effective_user":{"name":"SYSTEM","id":53},"user":{"name":"wazuh","id":73},"group":{"name":"Administrators","id":19}},"md5_after":"fed4b379455abf126cc870fe6f90bfa2","sha256_after":"0334398bd1239af0b3ea951fec4291bcd6135c7e4032fec867613ac5024a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T21:43:15.036Z","size_after":29,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":61572,"tags":["tmp"],"sha1_after":"07f692a95b904d2d41b6c17f76db97353ca62743","audit":{"process":{"name":"/tmp/sample","id":95129,"ppid":14958},"effective_user":{"name":"NETWORK Service","id":0},"user":{"name":"LOCAL Service","id":35},"group":{"name":"root","id":83}},"md5_after":"0d267ba2ddac4568e83fa76c5d97891b","sha256_after":"3aa09ef099f92e6ad5e34db0aa51d2a0e0a13156d3a11a56097817dbf251"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T13:54:15.529Z","size_after":51,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":20054}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T21:36:41.422Z","size_after":24,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":24358}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-08T10:12:21.240Z","size_after":1,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":89780,"mtime_before":"2023-03-08T10:11:21.240Z","inode_before":28855,"sha1_after":"95938abc758d84440a121577e2f287c798685195","changed_attributes":["md5"],"md5_after":"aa4c4238492b15fdbbab8b1a566d4020","sha256_after":"85bca392ef1fc7c60b05ebc3752bce89f8442446fa7af5cccd08ed8a8b78"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T18:49:34.111Z","size_after":20,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":64335}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T19:17:35.539Z","size_after":17,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":94117}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T02:09:16.858Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":91089}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T12:00:42.541Z","size_after":37,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":18336}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T14:14:14.599Z","size_after":65,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":22779,"tags":["tmp"],"sha1_after":"052e4904f3512d32e90c62c4342e87d7fdd9d89d","audit":{"process":{"name":"/tmp/sample","id":4177,"ppid":98438},"effective_user":{"name":"LOCAL Service","id":98},"user":{"name":"root","id":15},"group":{"name":"NETWORK Service","id":71}},"md5_after":"98f09e481d832d91dde6b2fdc24c2e53","sha256_after":"c4ae63463e0bdffd82b956a749813d4958eceae214b733a8c814f5c2617f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F4","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T20:42:09.872Z","size_after":59,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":797}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T22:44:15.124Z","size_after":38,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":7008}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T19:56:56.455Z","size_after":55,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":52769,"mtime_before":"2023-03-06T19:55:56.455Z","inode_before":11155,"sha1_after":"17e39cc1a829a533a31dcd6e40e55324a84b62c2","changed_attributes":["tmp"],"md5_after":"bd2372cd9e1b079fd657c606988f9aa7","sha256_after":"76506dd8240b8538ee442792ae8ac22cd489a574aa5a5d54db0213a93eca"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T21:28:38.912Z","size_after":43,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":64467}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T03:48:50.856Z","size_after":48,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":18425}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F4","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T03:58:04.586Z","size_after":19,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":39612,"tags":["tmp"],"sha1_after":"c4b44942d37e3cb6bd99da4f678fd6b13dcd6f4a","audit":{"process":{"name":"/home/user/sample","id":63820,"ppid":80108},"effective_user":{"name":"root","id":29},"user":{"name":"ec2-user","id":57},"group":{"name":"LOCAL Service","id":2}},"md5_after":"c56cf3d1ccaf8b9543caea027055e75d","sha256_after":"c9d51800585232d7dbc1dbbd8961460f2bce6a6cd3084e2497fa42a59134"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T19:41:29.857Z","size_after":13,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":3817}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T22:51:13.610Z","size_after":29,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":51575,"tags":["tmp"],"sha1_after":"7c01f60ce7c97a85253ec0c9bfe9e5f96cabe8ca","audit":{"process":{"name":"/home/user/sample","id":31222,"ppid":15130},"effective_user":{"name":"suricata","id":51},"user":{"name":"ec2-user","id":11},"group":{"name":"LOCAL Service","id":53}},"md5_after":"8299af7648a9003a15fe2f971f4f18db","sha256_after":"b529c47c6f16c2382993d447ba0934b7882597d01705ac202fa7f72a1b87"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T02:11:39.674Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":16364}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T17:51:41.090Z","size_after":37,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":25864,"tags":["tmp"],"sha1_after":"3c2cac353b87cae992cd661d60a1c1d517b3f28c","audit":{"process":{"name":"/home/user/sample","id":15211,"ppid":67030},"effective_user":{"name":"Administrators","id":47},"user":{"name":"suricata","id":5},"group":{"name":"LOCAL Service","id":66}},"md5_after":"f3621c768a0d227587885de2232a9cba","sha256_after":"983013c4c8778abdf36e326ec11996019e623310b32ebf822dfccd35129b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T04:00:26.150Z","size_after":51,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":31328,"tags":["tmp"],"sha1_after":"8502d0660f7f2e100714f384fa048ea734114d29","audit":{"process":{"name":"/etc/sample","id":25850,"ppid":46997},"effective_user":{"name":"root","id":33},"user":{"name":"ec2-user","id":44},"group":{"name":"suricata","id":44}},"md5_after":"ff6662f2b15c0e636ef29f9700e7096c","sha256_after":"ad420c18ab32c6c69b3036003de742cbcc5797fd6ecab02c967457319a15"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T01:11:59.140Z","size_after":56,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":20904}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T00:26:43.917Z","size_after":62,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":67974,"mtime_before":"2023-03-07T00:25:43.917Z","inode_before":98813,"sha1_after":"d08d1c98d28993c8b5f400b4e6315a8a6a0ed73f","changed_attributes":["sha256"],"md5_after":"832cc7574b7b5f89719fae5d2653955f","sha256_after":"c8e1120f97246c766070c11f488630019e6ced4aa278c577b484931eeb10"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T16:56:08.258Z","size_after":45,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":34734}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T19:40:14.447Z","size_after":41,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":34683,"mtime_before":"2023-03-07T19:39:14.447Z","inode_before":73311,"sha1_after":"3667b3eff958014cef1207b69a83561efc3396de","changed_attributes":["size"],"md5_after":"40d6c459fdaf1f145cb119843ca7ad74","sha256_after":"b6892fa7034cdcb69da769ec9c70f28232e0a3b73547cd47979400c82831"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T04:53:47.228Z","size_after":58,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":58780,"tags":["tmp"],"sha1_after":"91ec1874d9d5fe9bf79e2feddb0f2a36579ef901","audit":{"process":{"name":"/tmp/sample","id":94325,"ppid":54851},"effective_user":{"name":"wazuh","id":4},"user":{"name":"Administrators","id":89},"group":{"name":"suricata","id":42}},"md5_after":"1d8701e8382f84bd9b4a727f56f696fe","sha256_after":"103b37758b5a602a74f3f7cca4dabe9c790685c42e8baa41428622e5cd13"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T07:26:10.199Z","size_after":51,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":28043}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T19:41:08.325Z","size_after":5,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":57306}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T12:40:00.956Z","size_after":59,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":95744,"mtime_before":"2023-03-06T12:39:00.956Z","inode_before":53273,"sha1_after":"0d0569138b91cf009a5339c86ade586c80de1094","changed_attributes":["inode"],"md5_after":"a130d1e82855325b94332d3a118f90cd","sha256_after":"b6bb3e50c20c199b8cb2c3dffe35fa0658346f784a9ed74490a25613a84c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T11:59:24.205Z","size_after":63,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":58039,"tags":["tmp"],"sha1_after":"43c6c276db9ae2a6ba03efc33f6dcb757d008709","audit":{"process":{"name":"/tmp/sample","id":75471,"ppid":79040},"effective_user":{"name":"SYSTEM","id":69},"user":{"name":"LOCAL Service","id":89},"group":{"name":"ec2-user","id":63}},"md5_after":"84097ef4ec04b47fd4595e4f5299e1af","sha256_after":"2508f71cf665d83fae63c94b2c8792c66ac2571eb8be227699dc2d5c87b6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T10:29:43.191Z","size_after":6,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":39497,"tags":["tmp"],"sha1_after":"a1a9e33fd4eeb691c0631cda1aa9f9a6d32a09c2","audit":{"process":{"name":"/home/user/sample","id":32199,"ppid":81243},"effective_user":{"name":"SYSTEM","id":80},"user":{"name":"suricata","id":86},"group":{"name":"wazuh","id":9}},"md5_after":"a91ac0592a4c8515410b4938e224f776","sha256_after":"37c71182e9c1a960903fd0ecc0e015e5ad88e382da14bbee0f44659dfbf0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T06:02:54.184Z","size_after":21,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":71460}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T18:41:22.771Z","size_after":24,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":1704}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T03:19:40.152Z","size_after":52,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":37166,"tags":["tmp"],"sha1_after":"d19a4255ba2829e568c8d23979e1e236785514fc","audit":{"process":{"name":"/etc/sample","id":68721,"ppid":93110},"effective_user":{"name":"NETWORK Service","id":37},"user":{"name":"NETWORK Service","id":70},"group":{"name":"LOCAL Service","id":6}},"md5_after":"5c0276342d01ca47daf26bf82ce2b5dc","sha256_after":"cfb785ab1992d9cadb6b0ae229918d702992ab284c58d0b6a453e05fd6f1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T07:04:00.244Z","size_after":44,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":9321,"mtime_before":"2023-03-05T07:03:00.244Z","inode_before":14196,"sha1_after":"79c324ef5cace6642a3a4053d8b58d242cbe013d","changed_attributes":["sha1"],"md5_after":"46114220c0516929020a6f77d1e7b362","sha256_after":"5f57ff2e19450541d5b3650b6837f5de3a5865f0fbebf366f03069803141"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T23:31:06.509Z","size_after":55,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":50218}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T10:33:39.998Z","size_after":65,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":79558,"tags":["tmp"],"sha1_after":"76f8efe5a4348ad79e7cffb7b9a225b936bff97f","audit":{"process":{"name":"/home/user/sample","id":58878,"ppid":87541},"effective_user":{"name":"ec2-user","id":26},"user":{"name":"root","id":72},"group":{"name":"suricata","id":0}},"md5_after":"b15d434f6a02d371bd7cc6b5dd95a6b6","sha256_after":"5616b0ba36d0496baa05c19bf1e31fe5f77dc2d234b326ee4177d7ea0ecb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T01:19:00.872Z","size_after":51,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":99727,"tags":["tmp"],"sha1_after":"2a4baf326d31f8fcc0e9fa5bacff55a0e7898371","audit":{"process":{"name":"/etc/sample","id":26408,"ppid":22705},"effective_user":{"name":"NETWORK Service","id":50},"user":{"name":"LOCAL Service","id":2},"group":{"name":"Administrators","id":39}},"md5_after":"91761ba3e500488ed5762e4daf821f35","sha256_after":"faf3556fdb44d6aaadcb822dcb641f643290586330faebd60ac8b6607242"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T15:56:17.373Z","size_after":49,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":16909}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T00:05:12.163Z","size_after":27,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":64955,"tags":["tmp"],"sha1_after":"f9c741d0feaf220487b71fab2483ee83767cdca7","audit":{"process":{"name":"/home/user/sample","id":41989,"ppid":272},"effective_user":{"name":"NETWORK Service","id":55},"user":{"name":"LOCAL Service","id":69},"group":{"name":"suricata","id":16}},"md5_after":"1be1bcd5ca1cf2a557ed949796f7045e","sha256_after":"bc1aa2e9df1be7289ecc6fa60ded053734caa73e293c684b511a03722ae5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T03:22:50.021Z","size_after":24,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":29633,"tags":["tmp"],"sha1_after":"f5bf1ab89673bd03576342a1ddfdfc731710affb","audit":{"process":{"name":"/etc/sample","id":15220,"ppid":75514},"effective_user":{"name":"NETWORK Service","id":69},"user":{"name":"Administrators","id":29},"group":{"name":"wazuh","id":0}},"md5_after":"a800211950351b42be8a8cf06f637ed8","sha256_after":"7f6c63cead4dc1233a3220ae103115105083e4bcf0dafd3adb641bcc47dc"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T22:32:44.404Z","size_after":5,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":40359,"mtime_before":"2023-03-06T22:31:44.404Z","inode_before":3318,"sha1_after":"1b5b5012257f1667f9fb6a68c47e63bdb9e1c45a","changed_attributes":["mtime"],"md5_after":"04e4ca0c24571646dba0359eb2ff9b0a","sha256_after":"a137e58d3e1fdffab4297b3485c0e7b6e6168f46284e5868a010ccbc1a00"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T17:38:02.599Z","size_after":60,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":71483,"tags":["tmp"],"sha1_after":"72f60b49f2a2b45bb7fcbcc600b8b20c8c93d53f","audit":{"process":{"name":"/tmp/sample","id":28990,"ppid":36945},"effective_user":{"name":"root","id":88},"user":{"name":"wazuh","id":93},"group":{"name":"wazuh","id":53}},"md5_after":"aec552eba7de2840490b20bce31f6414","sha256_after":"98691139688402cf0cdd4ccad735102a4cf9d9fdf300bb38674d1efb9953"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T08:34:02.429Z","size_after":55,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":16177}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T09:51:44.710Z","size_after":39,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":42647,"tags":["tmp"],"sha1_after":"bd4bbbf6639334e3ec07fca0c2653558d292b302","audit":{"process":{"name":"/tmp/sample","id":10425,"ppid":38892},"effective_user":{"name":"NETWORK Service","id":66},"user":{"name":"Administrators","id":39},"group":{"name":"ec2-user","id":48}},"md5_after":"226f941eca7c3d0256fd9a45fd57b085","sha256_after":"c2a5cd742c41249ab90ac067f6df8d6b4cc370c3d89260adba3f00fbbb43"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T00:01:52.327Z","size_after":30,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":31062}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T22:25:25.382Z","size_after":9,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":68891,"tags":["tmp"],"sha1_after":"b0dd7ca31d2b7247d0e907aba1e74cc5bcb3581f","audit":{"process":{"name":"/home/user/sample","id":62338,"ppid":90671},"effective_user":{"name":"wazuh","id":90},"user":{"name":"LOCAL Service","id":7},"group":{"name":"ec2-user","id":86}},"md5_after":"5a46a610b2b17eb7f967eeda8d4703f3","sha256_after":"bb4e35e06632430c357599f061669a8701b0e4dba8330c110a7e840c229d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T10:45:29.423Z","size_after":56,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":56113}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T09:49:40.004Z","size_after":43,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":9693}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T16:23:02.320Z","size_after":33,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":66758,"tags":["tmp"],"sha1_after":"bd884d3831ca924f473aa268411121d5012b10d7","audit":{"process":{"name":"/tmp/sample","id":21346,"ppid":90104},"effective_user":{"name":"LOCAL Service","id":78},"user":{"name":"Administrators","id":84},"group":{"name":"NETWORK Service","id":89}},"md5_after":"0cb42723ab0a91a43b4c3962e0d07acd","sha256_after":"14f08204978aadfc81e6dc99d1381e39e56f41577dd8e8a6f4eb11330de6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T23:02:49.141Z","size_after":12,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":39494,"mtime_before":"2023-03-07T23:01:49.141Z","inode_before":54226,"sha1_after":"8c3eea91f73f038a6f05553f9600de8c5e79c06e","changed_attributes":["inode"],"md5_after":"15679bebca558819b5eaed7c23706faa","sha256_after":"e5c4963a76ebde14d1a702c5bed494f41e0f550d665b6a40f1e22e4a394d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T06:29:12.504Z","size_after":63,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":74873,"mtime_before":"2023-03-07T06:28:12.504Z","inode_before":89382,"sha1_after":"3132298f8ba43e8b2b268532b6d5422bd38d5d10","changed_attributes":["inode"],"md5_after":"5327e5fe445e58135cb8586e32e5816f","sha256_after":"7faf543637b4fce47c8c74a57ab4d254b33d4eb33a38a4736bdffdb4f4d1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T02:03:34.678Z","size_after":8,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":80243,"tags":["tmp"],"sha1_after":"d49349ace2a2151bca27620b570d630f8bfba572","audit":{"process":{"name":"/tmp/sample","id":87655,"ppid":8991},"effective_user":{"name":"NETWORK Service","id":74},"user":{"name":"root","id":42},"group":{"name":"LOCAL Service","id":42}},"md5_after":"6f7ae0c3706903815cac307b2ed95b15","sha256_after":"02456ea116b1e9e8917621ee72d4a7105f4d6373141a97749ae1ea0b6ea1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T14:56:27.643Z","size_after":13,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":86868,"mtime_before":"2023-03-04T14:55:27.643Z","inode_before":12675,"sha1_after":"c29da9ddd2aceaae28e88a45286d4254179cabef","changed_attributes":["size"],"md5_after":"de8e6e9c88cb18964a31b0ebdcbb81a9","sha256_after":"2ba26dac29532a95644a4e380def5105b496db0d643c910144415ad6a6b4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-08T01:29:01.217Z","size_after":6,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":66708,"tags":["tmp"],"sha1_after":"4507e406b4b61471d3a1f8a7340f5c0151f764f4","audit":{"process":{"name":"/tmp/sample","id":96757,"ppid":49969},"effective_user":{"name":"suricata","id":9},"user":{"name":"Administrators","id":85},"group":{"name":"suricata","id":44}},"md5_after":"f868a636cdaf15a7488a44b8114c89d6","sha256_after":"1cb21c85899e430eb0c84a45b0db449343823bdd516a8bfffd4925095c2c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-08T04:05:52.802Z","size_after":0,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":90219,"mtime_before":"2023-03-08T04:04:52.802Z","inode_before":9406,"sha1_after":"ec542ba55e11e70eb6e653ddbd6b16c7d7a1f868","changed_attributes":["sha1"],"md5_after":"d91797bcd157e56b09f359e8bf6561b7","sha256_after":"17cd2df0e50e30072f721a4bf09356dbca0e2c2010eae87aa56a11fe0bee"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F4","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T07:15:59.132Z","size_after":16,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":72103}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T08:50:45.663Z","size_after":38,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":36355,"mtime_before":"2023-03-05T08:49:45.663Z","inode_before":40765,"sha1_after":"286c6ed8b4e4a355cecb3250181fccb41fe9d2e2","changed_attributes":["sha256"],"md5_after":"6444a8b4b43cfdda56802838fd39e4c0","sha256_after":"85987ad73b58338823f7909a86a6f65c32d1befdc6f9483805a107f25fe3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T13:48:35.277Z","size_after":45,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":14926,"mtime_before":"2023-03-07T13:47:35.277Z","inode_before":30114,"sha1_after":"1ca23ee3bdb37f9e3a76635b5377a31a24a8d30a","changed_attributes":["tmp"],"md5_after":"e7e32060f744a6e9aa3b886d63e02d93","sha256_after":"f4533ae05d6aa2a79b9b3199b5de9f4b3f2ff2ea949980852f0cc716adef"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T23:23:24.257Z","size_after":51,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":46271,"mtime_before":"2023-03-06T23:22:24.257Z","inode_before":72831,"sha1_after":"f076f35317b6770971e91779a46ff9e520d49103","changed_attributes":["sha1"],"md5_after":"cb4f7dd83143a426fd71f52cc5d7c469","sha256_after":"14f59b9acc96bdadc53e4e663e1998dd6add6d3baf08e66a99fa79e87929"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T03:02:56.805Z","size_after":50,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":209}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T09:19:06.690Z","size_after":38,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":56105}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T15:34:11.509Z","size_after":52,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":66736}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T04:40:43.402Z","size_after":46,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":17635,"mtime_before":"2023-03-04T04:39:43.402Z","inode_before":15728,"sha1_after":"bf712c0cfac359ed5cb28656f0fa1dad3f51a87d","changed_attributes":["md5"],"md5_after":"a52b05143ac0eb0b05b1f133e4b43211","sha256_after":"19819232fdc5352d8f5da86211242b229c29af7be11f417096ffea73b55b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T04:08:08.135Z","size_after":63,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":31648,"mtime_before":"2023-03-06T04:07:08.135Z","inode_before":74001,"sha1_after":"0798ed0d3f54bff6b60cc28e38e648d5303b282d","changed_attributes":["size"],"md5_after":"717c60efcb1162ec3f984d544f08386a","sha256_after":"fa11e49e0fbe49325e0f7cf6d4dcae8a4c367e86848a1def60a78c6d604d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T05:24:49.191Z","size_after":37,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":30518,"tags":["tmp"],"sha1_after":"7b7b5ee895bf52415e817bc35a35c6ac5944c6a6","audit":{"process":{"name":"/home/user/sample","id":44170,"ppid":17509},"effective_user":{"name":"root","id":75},"user":{"name":"NETWORK Service","id":93},"group":{"name":"SYSTEM","id":42}},"md5_after":"f73fa5745ddbe5be8118ff5c4d969c36","sha256_after":"ce539aedfbe4ee3b108fb21e45e8b5e6e45d6854bc0672dc2f4c4213ba37"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T03:31:05.008Z","size_after":19,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":58696,"tags":["tmp"],"sha1_after":"1a4d9d6e4c2816e981a54f7c0838b3150f22cc5a","audit":{"process":{"name":"/home/user/sample","id":98775,"ppid":42700},"effective_user":{"name":"suricata","id":45},"user":{"name":"Administrators","id":64},"group":{"name":"ec2-user","id":59}},"md5_after":"f132dedbabef9324e4dd6b0485f1f4f9","sha256_after":"ab28a0263c48578cf746afab414c11868cb043277d29faba04feb20d0a18"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T04:28:34.753Z","size_after":23,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":65531,"mtime_before":"2023-03-02T04:27:34.753Z","inode_before":19372,"sha1_after":"3f0dd6cb3eab8a492da71c44d3a9f2eea28c6641","changed_attributes":["tmp"],"md5_after":"0ad7e69e615d6b89c166ff19ce478e0a","sha256_after":"7799cc234efae3bc232be67dd187a725c57be1965dec7b0b267263631095"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T16:00:08.031Z","size_after":60,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":9105,"mtime_before":"2023-03-02T15:59:08.031Z","inode_before":28369,"sha1_after":"28b6f19df5e85d28b4effb67f1c85468ad590fed","changed_attributes":["inode"],"md5_after":"c06d3c156cf56bb10ce9b2956b3b8ad4","sha256_after":"6f606d36b63ec185fea848eb5633e09944543f420dcda8b899ba98859f22"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T08:36:36.664Z","size_after":19,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":51764,"tags":["tmp"],"sha1_after":"640aa8e8e6542e77f6ada66dce5cc863dbb3bcdc","audit":{"process":{"name":"/home/user/sample","id":1190,"ppid":51743},"effective_user":{"name":"ec2-user","id":40},"user":{"name":"Administrators","id":13},"group":{"name":"SYSTEM","id":46}},"md5_after":"aba5542e22e6554e0a7a949a9759b65e","sha256_after":"caf68bc94740bf2f4e3ada03e04170118c13dd7b45a7c287d8ebc2bb369f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T10:21:21.525Z","size_after":57,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":52843}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T14:52:42.297Z","size_after":20,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":37378,"mtime_before":"2023-03-07T14:51:42.297Z","inode_before":75917,"sha1_after":"0d426560a98db8cd8978babc20f39b4f2a162b7d","changed_attributes":["sha256"],"md5_after":"2993abf9f3f6a402d4dd87a263a58639","sha256_after":"5dea9fd8b219a49fb7846898258277f635f868ac5d2c2ebd3e014b114f2b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T15:51:09.907Z","size_after":29,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":68928}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T23:32:05.969Z","size_after":41,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":70059}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T02:42:54.210Z","size_after":44,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":51367,"mtime_before":"2023-03-04T02:41:54.210Z","inode_before":29702,"sha1_after":"a2edd357c5dd6bbf70d58ae71e17482641bc2759","changed_attributes":["mtime"],"md5_after":"906f991285fea1a86d6175715b0f3366","sha256_after":"1f355819dba5f9ac2356b8ba8fc232a26f73b43fddab8f5dfa54774f80a4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T15:20:37.309Z","size_after":48,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":82823,"tags":["tmp"],"sha1_after":"c6dca883303c7afa817f04d9d5b3e0979d85163d","audit":{"process":{"name":"/tmp/sample","id":93600,"ppid":574},"effective_user":{"name":"SYSTEM","id":98},"user":{"name":"root","id":11},"group":{"name":"SYSTEM","id":79}},"md5_after":"ceca72b99c724445274351c187371daa","sha256_after":"0cb6fdfd102b88f495e16c3c55e6d656a60fd4d94d5befaccb7b59b0a970"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T01:55:19.450Z","size_after":36,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":50585,"tags":["tmp"],"sha1_after":"63ee5ee70d8dc7a19dc1e8f32213b60daf057b6b","audit":{"process":{"name":"/etc/sample","id":92200,"ppid":64282},"effective_user":{"name":"wazuh","id":89},"user":{"name":"ec2-user","id":58},"group":{"name":"Administrators","id":63}},"md5_after":"899f503f540e71f12bd28cd7cb4184c1","sha256_after":"c0041556028442e9668ac40844de35a4a459dec0dc8f9fdf1fa621dd5622"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T00:15:54.901Z","size_after":58,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":32182}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T20:14:53.818Z","size_after":30,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":55409}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T00:57:22.682Z","size_after":23,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":89992,"mtime_before":"2023-03-07T00:56:22.682Z","inode_before":40369,"sha1_after":"0ad80acb6546f71dccc4d9157e6e180f09879055","changed_attributes":["sha1"],"md5_after":"01a120cc70eb3e4a8b4fbb15bab0d4cf","sha256_after":"c316eac6bf3fd35ed943bc6777e00ae4aa92664a40b35fec359cea5f767b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T23:50:32.224Z","size_after":47,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":2606,"mtime_before":"2023-03-01T23:49:32.224Z","inode_before":69600,"sha1_after":"c0b82415a7e24f4a6d83a3edfa344293c57331a7","changed_attributes":["sha1"],"md5_after":"bb2c84280e375b42aabf52311955aadc","sha256_after":"181a3ab761ef1f4407c7f3fb15456f6d859930bf4b4574dc2df3df690221"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T12:26:23.444Z","size_after":29,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":48061}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T11:24:56.885Z","size_after":10,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":77741,"tags":["tmp"],"sha1_after":"469c716e6fa9e0a3f5b6c461811746e10113e4be","audit":{"process":{"name":"/tmp/sample","id":42643,"ppid":34182},"effective_user":{"name":"NETWORK Service","id":6},"user":{"name":"Administrators","id":28},"group":{"name":"wazuh","id":62}},"md5_after":"8ccf24cb66aff443e27c587e3073a8d2","sha256_after":"81c1b26ff51eec8c7d4c4cb1f4cf8536526ba97a6735e8a65d28e4d8ae86"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T15:26:39.181Z","size_after":59,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":59103,"mtime_before":"2023-03-07T15:25:39.181Z","inode_before":62273,"sha1_after":"207426e5f6f954856999bc05dc13b1f19e8c7fac","changed_attributes":["size"],"md5_after":"32211541c8868927d79f8bbfa0b36909","sha256_after":"4308ab9ac19d7f83e8891503372212bbadfac755568cc9ba8d3f87a1409f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T10:09:47.144Z","size_after":42,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":41543,"tags":["tmp"],"sha1_after":"e86877bba535234a8f7fd086aa6543d6c55351ad","audit":{"process":{"name":"/tmp/sample","id":12075,"ppid":85388},"effective_user":{"name":"wazuh","id":62},"user":{"name":"suricata","id":10},"group":{"name":"wazuh","id":9}},"md5_after":"285f7cdc8884bf83e6dd16f8734a7e4a","sha256_after":"35ccf981434de286f90b2e1e6997c17fd5fc5d2a9b134441e25a508b00a6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T09:29:38.614Z","size_after":55,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":76413,"mtime_before":"2023-03-08T09:28:38.614Z","inode_before":88280,"sha1_after":"8fedeb56bdc61f1b4942230cb3049531e8cb67cc","changed_attributes":["size"],"md5_after":"28401fe346c36aecb1605fce3c7a6e49","sha256_after":"325b10c17a9c427b38b86f13e2de39e59e020a0dfacdc8dc9591ab7b15bb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T14:17:43.302Z","size_after":18,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":46572}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T01:56:22.703Z","size_after":48,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":47522,"mtime_before":"2023-03-06T01:55:22.703Z","inode_before":8084,"sha1_after":"318660a291894f1e6db53e94c5b3e6d957a9f6ff","changed_attributes":["tmp"],"md5_after":"55e8d9665685162e851f435a72b73a87","sha256_after":"60027eeefd2e31940e4cc9764141a62c6251d03ee7cbf92eabfa7ac09348"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-01T23:16:43.405Z","size_after":42,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":27450,"mtime_before":"2023-03-01T23:15:43.405Z","inode_before":10628,"sha1_after":"3e6f7e5cf5bd89e21c587aa02b1e0d7335f7b911","changed_attributes":["size"],"md5_after":"bf8b1f77ee05a8d74a76ce5263354859","sha256_after":"753ec26662a325c48efe309f80e89f514dba043af0759c2950f531724f3e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T08:58:25.265Z","size_after":20,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":76726}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T02:54:02.236Z","size_after":6,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":26646}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-01T23:50:17.945Z","size_after":19,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":5278,"mtime_before":"2023-03-01T23:49:17.945Z","inode_before":32225,"sha1_after":"329ff848923b210f5928a0472ad1cab919b4f82b","changed_attributes":["md5"],"md5_after":"1358311c09798ef7ec6ac867c10b4cd6","sha256_after":"9023866895b140e75b9e5726ce51b18a39914e211df0ba66462288ec2776"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-08T07:03:48.317Z","size_after":33,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":17725,"tags":["tmp"],"sha1_after":"deafd8e337dd7517fa0ad1cb29c6ed13f307fea5","audit":{"process":{"name":"/etc/sample","id":95230,"ppid":90543},"effective_user":{"name":"wazuh","id":100},"user":{"name":"LOCAL Service","id":89},"group":{"name":"root","id":83}},"md5_after":"5194058a9f7dc6e0cb3daa3527c3bccd","sha256_after":"482c17141752b38d39e20763fcf7bf917bfce9e193a33512c03ade98d47f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T09:00:42.995Z","size_after":34,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":37487,"tags":["tmp"],"sha1_after":"404b3589f2070c2a2f6fe3f3ab25f13ca5d60426","audit":{"process":{"name":"/home/user/sample","id":64536,"ppid":50319},"effective_user":{"name":"suricata","id":3},"user":{"name":"ec2-user","id":14},"group":{"name":"root","id":55}},"md5_after":"587e93c4a5ce719bbbbcb4d723be5897","sha256_after":"ec3091291f879197794595eac6c8eb1ca8d3a2e32da3de182ad2984be6ae"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T17:24:47.502Z","size_after":42,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":96138,"tags":["tmp"],"sha1_after":"588f47b48e31612c6400d4d6cff9b63a0d01267a","audit":{"process":{"name":"/tmp/sample","id":18703,"ppid":68436},"effective_user":{"name":"LOCAL Service","id":99},"user":{"name":"SYSTEM","id":9},"group":{"name":"root","id":57}},"md5_after":"7e3847c7047b72948b5fc62ddccf9de0","sha256_after":"52ae3fdf029ae1e2662dbfdc4dde6432876fecf846c5d57132b6f0e4c616"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T16:29:35.024Z","size_after":21,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":50698}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T23:59:40.333Z","size_after":59,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":24884,"mtime_before":"2023-03-07T23:58:40.333Z","inode_before":96711,"sha1_after":"5e39df83c09123b4d449368c2119d876db7d0240","changed_attributes":["tmp"],"md5_after":"1940340e55dd6aeaa40581d4dc50fed4","sha256_after":"b63e327fe57f3474d92b918b7182669853a9ca2f2621ba8571e92351d83c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T11:25:39.141Z","size_after":58,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":44213,"tags":["tmp"],"sha1_after":"241bf3c2ffaf0f5ce52c46aec2e3632bd14adb35","audit":{"process":{"name":"/home/user/sample","id":33075,"ppid":85760},"effective_user":{"name":"suricata","id":31},"user":{"name":"root","id":27},"group":{"name":"Administrators","id":36}},"md5_after":"37877c2259df44015759f88d2b42f702","sha256_after":"63effd68d21d72056df01167f696ed3044a87a88acd356b0af19d0e55980"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T01:07:13.421Z","size_after":45,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":40672}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T07:28:46.415Z","size_after":61,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":79645,"mtime_before":"2023-03-07T07:27:46.415Z","inode_before":84100,"sha1_after":"7a1662e91a003f1858654aead930c0466afde4bb","changed_attributes":["inode"],"md5_after":"fcee5f5fa69be28760af4f42380a4607","sha256_after":"5e03b6946be5ad1ac9102b044db8230dfbd308027edc47429facf07d6741"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T17:17:45.506Z","size_after":25,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":40710,"tags":["tmp"],"sha1_after":"f9c52667f4a723f3682b8104d2e7ce92ee224401","audit":{"process":{"name":"/etc/sample","id":17946,"ppid":45620},"effective_user":{"name":"root","id":90},"user":{"name":"ec2-user","id":66},"group":{"name":"SYSTEM","id":51}},"md5_after":"7e40249a0e85cdc892e9895cec706420","sha256_after":"02cc48a7f46660711071bf66ce85d19c0fd6f8ab4a4e6a0883d42224e281"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T09:25:19.132Z","size_after":4,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":17965,"tags":["tmp"],"sha1_after":"a3fe68e22be7b71d5f8311810c46806a07ca8788","audit":{"process":{"name":"/tmp/sample","id":33936,"ppid":19657},"effective_user":{"name":"root","id":80},"user":{"name":"LOCAL Service","id":84},"group":{"name":"LOCAL Service","id":49}},"md5_after":"e830b8efc600d83d32abe08e97750cfd","sha256_after":"604a4d2e816205af9adaf0d0c300294f26c4415e7cf1844cc576cb4447f5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T07:46:57.568Z","size_after":23,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":69516,"mtime_before":"2023-03-05T07:45:57.568Z","inode_before":333,"sha1_after":"25fe905d08d4def16f91b6848100da8bd49673f3","changed_attributes":["tmp"],"md5_after":"c9b5ca2ec97f0272ce9d8837a758227c","sha256_after":"5f68ada7de12f18d6f3a2ffc79a2f4a510dceaa63ee8a549e641f3ed7909"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T16:40:37.353Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":36705,"tags":["tmp"],"sha1_after":"cace90376a65573fc1fc033b86089d8373bd265f","audit":{"process":{"name":"/etc/sample","id":61825,"ppid":8746},"effective_user":{"name":"suricata","id":56},"user":{"name":"NETWORK Service","id":100},"group":{"name":"SYSTEM","id":95}},"md5_after":"8b7aae7b8e73cd83137005a702106c82","sha256_after":"964855df16c601174be1d59d4a79d1abd4b1e628d72bf0e69a9efc8f4a7d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T22:38:33.118Z","size_after":22,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":9040,"tags":["tmp"],"sha1_after":"cd10440b3f35ee015a6b8c5719acb7bb824fb957","audit":{"process":{"name":"/home/user/sample","id":57791,"ppid":42045},"effective_user":{"name":"ec2-user","id":6},"user":{"name":"wazuh","id":73},"group":{"name":"wazuh","id":50}},"md5_after":"01e6a228c1e311aa9797011e7f322e2a","sha256_after":"1a0b4c1deeab84b7b608641a9da76b855fddf92c86249b5839d706e53c61"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T23:56:23.490Z","size_after":50,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":39653,"mtime_before":"2023-03-04T23:55:23.490Z","inode_before":45151,"sha1_after":"b826415044b51ba77884340d5ef8ad1da2b827ec","changed_attributes":["sha1"],"md5_after":"5d66ca6d538d43984a86fa807c646fc9","sha256_after":"8a8dd598e1cf6c8d18482e148a15c0ffb634465df5d0db9cbf9732be1673"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-08T00:04:16.638Z","size_after":41,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":46891}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T20:43:31.080Z","size_after":7,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":6586}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T18:09:02.756Z","size_after":21,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":83056,"mtime_before":"2023-03-04T18:08:02.756Z","inode_before":60437,"sha1_after":"47321ee346051cf87ecdc811db2a31ba054bd4ab","changed_attributes":["inode"],"md5_after":"ee445eab8fcfa4036d7e098ba115aa51","sha256_after":"3fa22f910b7a089406c964621af5684ff731c64534b819d80229cee1e5c4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T01:35:04.276Z","size_after":4,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":73527,"tags":["tmp"],"sha1_after":"8e11c4cd5f902c112241a73389562ddfe985de46","audit":{"process":{"name":"/etc/sample","id":53169,"ppid":81470},"effective_user":{"name":"wazuh","id":80},"user":{"name":"SYSTEM","id":50},"group":{"name":"suricata","id":1}},"md5_after":"69b87959e12889079f523622a627c3d2","sha256_after":"c29091294ed584c4af4704f5f421760bf1896da88f82e9a038931218c5ec"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T21:35:17.855Z","size_after":11,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":31873,"tags":["tmp"],"sha1_after":"ad883980cc439fd220f4d248894cb6f6eb87b60b","audit":{"process":{"name":"/tmp/sample","id":94353,"ppid":60667},"effective_user":{"name":"wazuh","id":73},"user":{"name":"Administrators","id":82},"group":{"name":"suricata","id":10}},"md5_after":"d05d36dc8e42b3f5542dc13d39237f76","sha256_after":"b1b5a0676dc2bcf2f237a0bb65c52aab942e0d8de7c4b458ee09427a604b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T19:11:54.890Z","size_after":11,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":62699,"mtime_before":"2023-03-01T19:10:54.890Z","inode_before":78908,"sha1_after":"1f5953cc28ce9bd1ffc41d4ab364681ec45df0ab","changed_attributes":["sha256"],"md5_after":"d9347cf2c94429728821252df818cf46","sha256_after":"baa4dcf797676fb5add85fa7f384616552d186551353be9ea79e5a0449c7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T14:44:59.575Z","size_after":56,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":56378}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T15:01:07.340Z","size_after":18,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":73560,"mtime_before":"2023-03-07T15:00:07.340Z","inode_before":54495,"sha1_after":"9417db6b22968a2abef4b3205ce50f9258aac745","changed_attributes":["sha1"],"md5_after":"68986e25bbedaa22f8d5460f6fdcc6d1","sha256_after":"4384d550974074c0d7106b072b62e923bfaf1decd6753b311abcf3d39522"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T14:53:27.932Z","size_after":48,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":65644}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T16:00:17.989Z","size_after":41,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":45632}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T22:40:32.768Z","size_after":60,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":81966}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T05:29:40.014Z","size_after":28,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":57049,"tags":["tmp"],"sha1_after":"916d39156055cfe54fa94d0cd75caf296beaa206","audit":{"process":{"name":"/home/user/sample","id":99529,"ppid":16783},"effective_user":{"name":"Administrators","id":4},"user":{"name":"wazuh","id":12},"group":{"name":"Administrators","id":74}},"md5_after":"a9097e38bc6db13c334fb6d14f3c4edc","sha256_after":"ba20698867eb505637dbe7b0b3ec85d3c05bf285718e306165131dcdd9d7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T12:16:34.296Z","size_after":13,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":76640}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T21:44:12.030Z","size_after":2,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":53123,"mtime_before":"2023-03-04T21:43:12.030Z","inode_before":68463,"sha1_after":"5f38df6583010d63688337bc4e16eb698ddecdaf","changed_attributes":["tmp"],"md5_after":"1227dc9f2ad2e9a4ddc20c2a5dfaa733","sha256_after":"b75ba578a0127742e00bd17e8c1fb282dacff9045229ccfcfe8007df0c80"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-08T07:12:56.277Z","size_after":9,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":49619}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T08:44:11.431Z","size_after":33,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":14885,"tags":["tmp"],"sha1_after":"94da9478a6fc6a0cf055fb21d5b7248cca619ac0","audit":{"process":{"name":"/tmp/sample","id":42338,"ppid":73297},"effective_user":{"name":"root","id":59},"user":{"name":"suricata","id":48},"group":{"name":"suricata","id":97}},"md5_after":"f7d1faba8e4e6f0c15032d3b7e75d672","sha256_after":"4b58185fdc7a5d45a42299075317582777ae62bcce945849ab2694530fc6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T05:35:53.893Z","size_after":60,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":73691}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T15:07:37.401Z","size_after":44,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":35816,"mtime_before":"2023-03-06T15:06:37.401Z","inode_before":55946,"sha1_after":"71412f2ca253f2bbe951e06eaf4d8435a9d71c97","changed_attributes":["md5"],"md5_after":"2e66d44e703e681e8eef9515748e8546","sha256_after":"c3e518bf1d09ccb6808eac810fee34c2b832f59574501725ade8c0d53405"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T10:38:14.446Z","size_after":48,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":71337,"mtime_before":"2023-03-02T10:37:14.446Z","inode_before":84980,"sha1_after":"bcef91ca12b7a3c5f880905aff95feeebbc51126","changed_attributes":["md5"],"md5_after":"b29f14bdab25b4ecbca7bd07d51dd492","sha256_after":"3a671e5e1fab4142feba8c4fade109c8eea87bd8722783938efc5336e916"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T20:49:24.134Z","size_after":32,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":17371,"tags":["tmp"],"sha1_after":"fb2459d14f3e2877ed0a04cb651a92537045e4d9","audit":{"process":{"name":"/tmp/sample","id":46816,"ppid":53665},"effective_user":{"name":"LOCAL Service","id":37},"user":{"name":"root","id":4},"group":{"name":"ec2-user","id":11}},"md5_after":"d62ac060fd1b4fceccc61be8f1d07714","sha256_after":"0f47e88d4288c8330cbc2677bc8572f2f5a7e1dce264179faad66ad6df5c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T07:02:43.273Z","size_after":37,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":45035,"mtime_before":"2023-03-05T07:01:43.273Z","inode_before":29642,"sha1_after":"6ea9867bd3d2ba69b28eb54d416180ecf10c09f0","changed_attributes":["mtime"],"md5_after":"d5b048cfb1ed76ad0e448563e59e124c","sha256_after":"49a7a049cf26c1d875df253c975ac37c4020eebcc5a15627453b7cbceca3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-01T19:16:04.181Z","size_after":55,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":20404,"mtime_before":"2023-03-01T19:15:04.181Z","inode_before":28783,"sha1_after":"e482581b44af18b7fffc7f87f06682383e10cb5e","changed_attributes":["md5"],"md5_after":"804785ca159874ddca204f4e72088f42","sha256_after":"8a78ff0ec5ca1e04698b477aaa43706d75bb1a048cb460e5ffdd56eb5fd8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T13:32:25.067Z","size_after":38,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":48051,"mtime_before":"2023-03-03T13:31:25.067Z","inode_before":81824,"sha1_after":"f73077014adbdcbce10e11ca3ed805114858bcbc","changed_attributes":["mtime"],"md5_after":"b86a4fd61501a842dcb6cff9e8da50bc","sha256_after":"f85c232f7b317ecfdd8416dce01e1dd25c3d64bbf8c918c218ff02b8f98e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T19:47:30.957Z","size_after":46,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":58778,"tags":["tmp"],"sha1_after":"71dc451c5a9f3eaad1ceef41a8398978bb54ce0f","audit":{"process":{"name":"/etc/sample","id":91494,"ppid":56465},"effective_user":{"name":"NETWORK Service","id":40},"user":{"name":"suricata","id":65},"group":{"name":"ec2-user","id":57}},"md5_after":"0e884556ec14b68c99b2d2714b3fbfbf","sha256_after":"1453276c29f7aab108e4a9fcae897c4d3505915902ff773ddbffcdfb6052"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T21:06:00.339Z","size_after":31,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":46054,"mtime_before":"2023-03-01T21:05:00.339Z","inode_before":17331,"sha1_after":"30dfa0adef583ea69c97aa9c2a5cc7ec015d004c","changed_attributes":["inode"],"md5_after":"6c581216731c7dc69c827fc281b8f893","sha256_after":"664bd643de9d206f49ee070fa5893a663cd219c847e3cee900212927f146"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T07:55:38.881Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":90062}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T19:18:49.715Z","size_after":10,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":89592}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T15:14:43.947Z","size_after":37,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":90511,"tags":["tmp"],"sha1_after":"afc64ab17fed4f56b5f039d4bac8aa4f7de076b6","audit":{"process":{"name":"/tmp/sample","id":23749,"ppid":5259},"effective_user":{"name":"suricata","id":99},"user":{"name":"SYSTEM","id":50},"group":{"name":"wazuh","id":53}},"md5_after":"f95c948ab7e2777c99b5afc8263c2e70","sha256_after":"b2f353f4781ee4f9b3af5226e7369275e67459c5bd0199dda78b212bc1dd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T01:50:07.881Z","size_after":24,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":7845}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T09:40:35.495Z","size_after":25,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":71961,"tags":["tmp"],"sha1_after":"d6e48639569480fa6ddcb0cdf0e9300e2b4832a1","audit":{"process":{"name":"/etc/sample","id":42374,"ppid":49880},"effective_user":{"name":"ec2-user","id":21},"user":{"name":"root","id":42},"group":{"name":"ec2-user","id":45}},"md5_after":"94d126d576c68c05c285f15513be7aaa","sha256_after":"dcc827aa57e913e260e27bafcf18fc1989c2087524d3f6e50d0e915918f8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T22:57:51.148Z","size_after":41,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":21178,"mtime_before":"2023-03-05T22:56:51.148Z","inode_before":11636,"sha1_after":"e85d38345ce6c16d9952e9b1c9368abaa43b70a4","changed_attributes":["size"],"md5_after":"68db45653f0fa91c6a1cf0c13be123ac","sha256_after":"66ebc880fb040d7adf63a49f7acf108c10a47e3a95df939667b455ff1f0f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T05:50:38.817Z","size_after":37,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":91166,"mtime_before":"2023-03-05T05:49:38.817Z","inode_before":41259,"sha1_after":"9ac9178035ead4c00b3224c2a6b75039f4af6474","changed_attributes":["md5"],"md5_after":"2f4c54c0e22c1d6ca6c82d6395a56ce6","sha256_after":"f4f129f89f9fbba23a71ffb7e37a35ab35c162548cfab4f2ed195f162766"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-08T07:48:52.362Z","size_after":17,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":40618,"mtime_before":"2023-03-08T07:47:52.362Z","inode_before":83697,"sha1_after":"b0f3af9aa8ec809b838cc33d7d412dcdd4f83d90","changed_attributes":["tmp"],"md5_after":"9dc9d475cc4fc51d41ec74b0e03e9ed1","sha256_after":"229537cabada440a51924d8439ab7d7cbec5d6d3f6e629de67e3ee6ffba5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T06:28:31.257Z","size_after":21,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":77693}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T14:54:52.294Z","size_after":65,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":38572,"tags":["tmp"],"sha1_after":"fbd93df7261a0ba1e9c369bdf29457a8199cd0a2","audit":{"process":{"name":"/tmp/sample","id":43400,"ppid":4820},"effective_user":{"name":"NETWORK Service","id":37},"user":{"name":"root","id":37},"group":{"name":"SYSTEM","id":4}},"md5_after":"d4737975494ba0a13ddc7cca9f230f03","sha256_after":"82621e54abc990ecfa5ab73340f835a4e12f9b7c78bf43da7e1fd0187b93"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T03:04:36.905Z","size_after":23,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":75616,"mtime_before":"2023-03-03T03:03:36.905Z","inode_before":60665,"sha1_after":"2be56dc09d49bdb0dc053c59f988ac5c028f93fc","changed_attributes":["sha1"],"md5_after":"8a59f3aabaa952575e2ce3fb551ba7a4","sha256_after":"712af7907b7a237d03b0faa1919b79d031b1779ade9df72e03d7e38e97a7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T18:24:29.661Z","size_after":36,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":61538,"tags":["tmp"],"sha1_after":"22a43a32da470e7e3125327b505de8428a30e4d8","audit":{"process":{"name":"/home/user/sample","id":11404,"ppid":16467},"effective_user":{"name":"root","id":94},"user":{"name":"root","id":92},"group":{"name":"suricata","id":85}},"md5_after":"803556d4dfd9e9884a4aa1f8228c8b5c","sha256_after":"f8312a57dcbab9cd4d14dfa29d38552da56075795707d95b66b06807ca21"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T04:50:32.816Z","size_after":11,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":59485,"mtime_before":"2023-03-05T04:49:32.816Z","inode_before":28023,"sha1_after":"0abe4c202b136b1e4a63f972cba745f4e6e16e48","changed_attributes":["inode"],"md5_after":"3a5a9864fad0f5a13c7d6839a3304f91","sha256_after":"ec3fc684aa8b9e15c1f15158c067b0124c4c562f9ea68b03e82a1e7b6795"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-08T02:53:51.254Z","size_after":23,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":11302,"mtime_before":"2023-03-08T02:52:51.254Z","inode_before":37105,"sha1_after":"f830a1d3dc2c1fff5d6a5851fdc7da8042da61ba","changed_attributes":["md5"],"md5_after":"08a5f46a0787dc6d9e79ddcc1eaf885b","sha256_after":"1badd538a88f186dea65b452566d86640275734c694f4c60385429bfdf3f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-08T04:48:56.201Z","size_after":37,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":35169}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T06:13:50.933Z","size_after":32,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":7623,"mtime_before":"2023-03-06T06:12:50.933Z","inode_before":1303,"sha1_after":"ac5b5d47662e7285ec80712b57a250d6f771e9ee","changed_attributes":["inode"],"md5_after":"10a6f378a866dc75bf1609ed2baafd55","sha256_after":"2200d6b06eac066985b9d9f8d7859d66b6d9ed378edd46a94c5d64e675e6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T03:34:37.736Z","size_after":52,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":60926,"mtime_before":"2023-03-06T03:33:37.736Z","inode_before":20071,"sha1_after":"a8977b5bf65dc864b00bd0e6c22ec561d84da317","changed_attributes":["md5"],"md5_after":"50072f63b6aa21d343897b3c1944c024","sha256_after":"28262ca1c6d95dbcfa58f1aa0e62317d7bbec1c31c879b11ffec46e3790f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T00:10:32.622Z","size_after":3,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":82970,"mtime_before":"2023-03-08T00:09:32.622Z","inode_before":19771,"sha1_after":"a94c841253e9f3b91d0b27650b09447602d93841","changed_attributes":["mtime"],"md5_after":"3ab67e7bac878f396abfaea99c964475","sha256_after":"18b9d58bad3180a8149e9f292a9c9d965955b1bb36bcd5380fa5c252e89b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-01T16:57:41.215Z","size_after":40,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":99541,"mtime_before":"2023-03-01T16:56:41.215Z","inode_before":50714,"sha1_after":"90cbb26cc3f58afd82a82c5407a06a5cf53d3532","changed_attributes":["size"],"md5_after":"3365c26100c35514edb2f5fd76290244","sha256_after":"5600c99e374dfdcee4041d091fc515bf668a5dc5f73e3cdeb69329f38ad6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T22:35:44.226Z","size_after":39,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":71677,"tags":["tmp"],"sha1_after":"4d20e03ca7c48baadb882573f8c1a0af563c16ba","audit":{"process":{"name":"/etc/sample","id":25243,"ppid":62636},"effective_user":{"name":"Administrators","id":83},"user":{"name":"suricata","id":45},"group":{"name":"LOCAL Service","id":46}},"md5_after":"8e6a84ed61789338a344a1049e4b16be","sha256_after":"1550b024839c23a3d72605125d6cc02898dcf8223e8b72674e763287ae2a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T07:02:46.546Z","size_after":42,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":62732,"tags":["tmp"],"sha1_after":"c1e5c02468f51f6da2facda0977643196bfc4b3b","audit":{"process":{"name":"/home/user/sample","id":82441,"ppid":67325},"effective_user":{"name":"suricata","id":27},"user":{"name":"LOCAL Service","id":5},"group":{"name":"suricata","id":34}},"md5_after":"cc01728e9445e5552f618f3902ddf392","sha256_after":"6c2b7031e2a8ae2c34bee6646c741a8c7b1fcf3e02961c322c07a149ca15"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T01:07:40.703Z","size_after":24,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":19401,"tags":["tmp"],"sha1_after":"6b3eea586cf5fa4651e47dbeaff1e3249612f09e","audit":{"process":{"name":"/etc/sample","id":97862,"ppid":16795},"effective_user":{"name":"suricata","id":8},"user":{"name":"root","id":67},"group":{"name":"ec2-user","id":15}},"md5_after":"6faba8e776c41d377a35992ace4427c2","sha256_after":"a8ce4b2d38d2ee4927713646571cc980d9469804d804b35f8212aa702e91"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T17:59:33.686Z","size_after":55,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":48857,"tags":["tmp"],"sha1_after":"e31436ce51cbc9dedbb8cf80f70c5e89bed4ea2e","audit":{"process":{"name":"/etc/sample","id":75444,"ppid":33212},"effective_user":{"name":"wazuh","id":92},"user":{"name":"ec2-user","id":54},"group":{"name":"Administrators","id":3}},"md5_after":"2a088b00c07898fcddfeffdfb3619380","sha256_after":"0590d527e3d18b3afa1ea90815ef2f789605775dde1ee1f6735b89eb8f0a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T18:17:31.609Z","size_after":53,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":28809}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T21:55:30.018Z","size_after":32,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":78765,"tags":["tmp"],"sha1_after":"a16f3d452102f9a933e92e84dbc9803658e121a1","audit":{"process":{"name":"/tmp/sample","id":75652,"ppid":97277},"effective_user":{"name":"SYSTEM","id":79},"user":{"name":"NETWORK Service","id":52},"group":{"name":"wazuh","id":25}},"md5_after":"0f643c1cf03f08b94436387e761368b4","sha256_after":"3021f6e9daea8e68a3af99cba131f1f786e6ce283f64e8f5eb44018cd8b6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T01:17:25.805Z","size_after":62,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":18232,"tags":["tmp"],"sha1_after":"dfb0036d75b5602bba1789c8dcab0292573c3ce8","audit":{"process":{"name":"/etc/sample","id":7355,"ppid":41994},"effective_user":{"name":"suricata","id":5},"user":{"name":"ec2-user","id":22},"group":{"name":"NETWORK Service","id":79}},"md5_after":"fe4a117abd587b3844e02a163c26faf0","sha256_after":"ade827a37e1fe03313147bcbe7831037e03b085e46ab3f2be767822854ff"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T12:43:11.754Z","size_after":18,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":5167,"tags":["tmp"],"sha1_after":"91417c0ccd84a5c7bb7a1e3b464e800816097aa3","audit":{"process":{"name":"/tmp/sample","id":78225,"ppid":18253},"effective_user":{"name":"LOCAL Service","id":56},"user":{"name":"wazuh","id":24},"group":{"name":"ec2-user","id":27}},"md5_after":"28537e1b041b1f6724088b09ef1855c2","sha256_after":"ba5fdb7f646b7f23af230712cb6235c5e3e40c65e22828972035c94da394"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T18:30:35.505Z","size_after":5,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":87025}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T09:34:23.966Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":62265}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T20:05:53.747Z","size_after":7,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":3374}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T09:32:30.199Z","size_after":35,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":33531,"mtime_before":"2023-03-05T09:31:30.199Z","inode_before":37449,"sha1_after":"6e773f935e290b7a9ac653ef5e1b0491d4042060","changed_attributes":["size"],"md5_after":"689988924a5d8fe032dd61a9f17bdff9","sha256_after":"aa11714e7386898e7416ce5eaa5b961e7fda783046d7b676e6b02c1dd495"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T18:32:57.126Z","size_after":32,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":35668,"tags":["tmp"],"sha1_after":"7a3edb85236e5a97c6e00b75aa96c7048128b5de","audit":{"process":{"name":"/etc/sample","id":96271,"ppid":60141},"effective_user":{"name":"LOCAL Service","id":22},"user":{"name":"NETWORK Service","id":46},"group":{"name":"root","id":49}},"md5_after":"52756ed50c5b1abaddb6ed47d6ca49e3","sha256_after":"9ad580a3416031c910c5287df5c442de70aea9bb43334f88d7749191b697"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T06:17:11.749Z","size_after":27,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":86677,"mtime_before":"2023-03-04T06:16:11.749Z","inode_before":36813,"sha1_after":"80f69d7d2bf53dfd9a002d208166f70919f56ab2","changed_attributes":["tmp"],"md5_after":"e1da5203c9b450be0a227e22e4977169","sha256_after":"27ada2d007274fafbc79bb62f27ace2e145437f2bdab910af8ff7f88c03e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T19:22:36.872Z","size_after":3,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":37786,"tags":["tmp"],"sha1_after":"7390ba56dedb9f51d2d6b83ba0e584b94470987c","audit":{"process":{"name":"/home/user/sample","id":51262,"ppid":19469},"effective_user":{"name":"SYSTEM","id":44},"user":{"name":"LOCAL Service","id":88},"group":{"name":"SYSTEM","id":40}},"md5_after":"ce36a113d3f2d27138e2ff87d934023e","sha256_after":"a81fd7a4886495176cf37bd583927718d5662e1204c7feb98addb0b8b537"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T08:54:27.467Z","size_after":9,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":77458}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T12:02:03.307Z","size_after":40,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":5078,"tags":["tmp"],"sha1_after":"55f046eef3dfcc9608536dcde2e82da4eb753d95","audit":{"process":{"name":"/home/user/sample","id":82052,"ppid":75725},"effective_user":{"name":"LOCAL Service","id":14},"user":{"name":"LOCAL Service","id":49},"group":{"name":"Administrators","id":100}},"md5_after":"3f0ebf1c8f7c4691a5950827c3ced5c8","sha256_after":"4026c5e4a242f7064b7a93b710dcbb78f1535e1a17d9aa4866fb0f6b7594"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T01:21:41.318Z","size_after":56,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":69543,"mtime_before":"2023-03-04T01:20:41.318Z","inode_before":84545,"sha1_after":"be117b8bb0ff63ce01432f190042fd4591a90045","changed_attributes":["size"],"md5_after":"7b812905829aa2fc2e81a11be7649d34","sha256_after":"35af093b654cd471e7fae2c4c76f095ac708bd0b53dac633fe30bf831ee8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T02:45:47.799Z","size_after":24,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":93781,"mtime_before":"2023-03-03T02:44:47.799Z","inode_before":95069,"sha1_after":"8dff03e03bc141bf7e953872fc5aa2f5d6938859","changed_attributes":["md5"],"md5_after":"f222e16249f690fd7afeacb75da9ee52","sha256_after":"62fd81fa06e8ad4ffdeac30fc4925c6b39782f274f5cbcfa4899e8c29b59"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T05:38:34.787Z","size_after":28,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":10052,"mtime_before":"2023-03-07T05:37:34.787Z","inode_before":14437,"sha1_after":"14a351bc6f488857daca3ae1792039f6990bcef9","changed_attributes":["inode"],"md5_after":"447089dbec9712dc18dbd166cec31c14","sha256_after":"b0f95756ad1ce0c6b812ce0ec9d10bbe230cfe4d3535c5592e5803d4987d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T10:14:20.362Z","size_after":36,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":44149}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T09:35:04.806Z","size_after":60,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":66009,"tags":["tmp"],"sha1_after":"e91fa5761fef12fedabbc92e663a1091e22d5323","audit":{"process":{"name":"/home/user/sample","id":66205,"ppid":15224},"effective_user":{"name":"wazuh","id":56},"user":{"name":"SYSTEM","id":26},"group":{"name":"wazuh","id":40}},"md5_after":"f73769b4fc5767734c30f9c335befc8a","sha256_after":"7e37228ca08c1aaa2379fa20970dddb417b56827fdca9eb7a7e6de93a770"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T18:29:19.224Z","size_after":58,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":2301,"tags":["tmp"],"sha1_after":"8e57f3450a38cad3f0661a5cbe70ac9aa3a2e851","audit":{"process":{"name":"/tmp/sample","id":64471,"ppid":32037},"effective_user":{"name":"SYSTEM","id":41},"user":{"name":"root","id":27},"group":{"name":"wazuh","id":17}},"md5_after":"8d5b125260ac53a3d38d20ec08a0420e","sha256_after":"62c6be6359c0aa320c309eac7d1011f438a2dc7dee3c21f986b021f9b765"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T09:53:23.968Z","size_after":42,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":55483,"tags":["tmp"],"sha1_after":"b3bd4b69818adc3f9d6c8c7194ee4e418661cfbf","audit":{"process":{"name":"/etc/sample","id":30183,"ppid":83082},"effective_user":{"name":"wazuh","id":38},"user":{"name":"wazuh","id":15},"group":{"name":"wazuh","id":55}},"md5_after":"1dfd650d2fa413cacf68735ab0484636","sha256_after":"96ce5241272e0c2819f39c27ad20f3df783501d4c203c9702db4e99d0a16"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T06:54:36.065Z","size_after":64,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":99903}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T12:21:46.064Z","size_after":22,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":29927,"tags":["tmp"],"sha1_after":"872fb7ca6e4b8f15e68ce0c7bdfe03bc3ae819e3","audit":{"process":{"name":"/tmp/sample","id":92311,"ppid":24562},"effective_user":{"name":"root","id":86},"user":{"name":"ec2-user","id":68},"group":{"name":"root","id":88}},"md5_after":"346fe6dd26b41b35894514b64a95fd7e","sha256_after":"091177f6711b99a437e3ccb5706628d841f6fd0c35e6f897948cdd1f6905"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T01:06:49.332Z","size_after":62,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":59697}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T04:45:42.288Z","size_after":6,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":19710}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T17:36:40.633Z","size_after":43,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":51717}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T00:22:46.048Z","size_after":42,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":69212,"tags":["tmp"],"sha1_after":"da30a29b2c2a323e6d21ab4afdc3448dbe37acd5","audit":{"process":{"name":"/home/user/sample","id":51366,"ppid":19817},"effective_user":{"name":"ec2-user","id":15},"user":{"name":"NETWORK Service","id":64},"group":{"name":"SYSTEM","id":32}},"md5_after":"d5bb0c95bc216b50bd7c8503809a3e77","sha256_after":"147c6941a0cecf62bb63b5ac10a9bf9300acf6503058e0d9081ed3e0b494"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T13:31:19.906Z","size_after":21,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":6292}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T15:25:29.676Z","size_after":4,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":54443}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T04:01:29.821Z","size_after":55,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":40021}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T21:20:51.797Z","size_after":60,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":7902,"tags":["tmp"],"sha1_after":"8a3f47c4779b1cf8c78458526367b9a71f15fda2","audit":{"process":{"name":"/tmp/sample","id":30162,"ppid":74918},"effective_user":{"name":"root","id":47},"user":{"name":"LOCAL Service","id":57},"group":{"name":"SYSTEM","id":1}},"md5_after":"d8bb8fbd2864a886e18f37e9cfa4cf03","sha256_after":"97e7bf365d59e84e9a2406476db386cba6324be9ae394ae016934521517f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T06:10:19.948Z","size_after":60,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":64958}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T14:06:16.590Z","size_after":63,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":22548}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T02:04:43.336Z","size_after":34,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":56685}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T16:24:40.778Z","size_after":24,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":86455}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T21:33:10.157Z","size_after":38,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":40999}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T04:04:44.921Z","size_after":51,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":663,"mtime_before":"2023-03-06T04:03:44.921Z","inode_before":16160,"sha1_after":"c00d49bf93af71ffb314dba83e9c3407d3a9ef81","changed_attributes":["tmp"],"md5_after":"bb2aac859b607a4e1c5766925073ede5","sha256_after":"446e0483cba573a44bb48f9246e5bd2e1532cdc09a7bc5be903aa7da06a2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T17:04:46.058Z","size_after":44,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":82993,"mtime_before":"2023-03-05T17:03:46.058Z","inode_before":89438,"sha1_after":"43e74ddde8282bc0dd783627b8ec2ea742f305bb","changed_attributes":["sha256"],"md5_after":"4d68b5a0cb8c9dbb4ef6862faa1d3a9b","sha256_after":"d7ca9132a42095e729d370814b27c89d4d24f73ffc5eb9784b52a96b9d8c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T08:39:05.270Z","size_after":57,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":65559,"mtime_before":"2023-03-02T08:38:05.270Z","inode_before":55435,"sha1_after":"ffc01c639acf77beb15c4a21dd9ac23d96414b89","changed_attributes":["sha256"],"md5_after":"dc7dae5f886ea6108460c87df93ea150","sha256_after":"933818d649609031a198c0213c484cd99a21d38ff8ade1fcd41dabee3d47"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T20:01:21.318Z","size_after":36,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":97346,"tags":["tmp"],"sha1_after":"4ca61ea7297d4267b25d6961b132bebab76c770a","audit":{"process":{"name":"/tmp/sample","id":78235,"ppid":94153},"effective_user":{"name":"SYSTEM","id":6},"user":{"name":"SYSTEM","id":99},"group":{"name":"NETWORK Service","id":63}},"md5_after":"e624f15f0e63a263fe9d7455c6906cba","sha256_after":"40275ac8f5fd4353f1bdcb1f014397533529445051442e57ccf67b3290ef"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T21:59:16.916Z","size_after":31,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":26105,"tags":["tmp"],"sha1_after":"4df016d636428b1af3be0ba8f9e7ea4fa7956e65","audit":{"process":{"name":"/tmp/sample","id":83465,"ppid":76654},"effective_user":{"name":"LOCAL Service","id":6},"user":{"name":"Administrators","id":63},"group":{"name":"suricata","id":61}},"md5_after":"f04f12089742474760fda9f0b90e28dc","sha256_after":"98f478ff3c018f53d91b4675caa916a8c85b1ec0e7cda5536c19eadeb765"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T06:59:54.776Z","size_after":62,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":64707,"mtime_before":"2023-03-02T06:58:54.776Z","inode_before":44397,"sha1_after":"9bf1f3e8f2a907d449de8aa1bfdbb426b5dc5451","changed_attributes":["mtime"],"md5_after":"543ee33c610d2a3279e980b81e530ef0","sha256_after":"0408a24383981ef1cfa2770e24f405e198f54960c0f4132f9cc82e7ab6d7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T14:03:39.314Z","size_after":17,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":93537}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T10:16:39.466Z","size_after":1,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":59472}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T12:43:57.196Z","size_after":42,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":1349,"tags":["tmp"],"sha1_after":"168d819d72ebdda8b0350036f41b21e69e47cdb3","audit":{"process":{"name":"/home/user/sample","id":52370,"ppid":64046},"effective_user":{"name":"wazuh","id":0},"user":{"name":"Administrators","id":29},"group":{"name":"Administrators","id":43}},"md5_after":"9bf20f6591e6dc80a25b20cb33fbfc8f","sha256_after":"f5e0f6b3ed0e42ac5a860fd3ae0bdefb87c4d6c8a8d00821abc99db6edf1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T16:18:48.116Z","size_after":36,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":48149,"tags":["tmp"],"sha1_after":"2d1f1f39b03f6a8dc22e321ae2d552558bdbf6e2","audit":{"process":{"name":"/etc/sample","id":6209,"ppid":87425},"effective_user":{"name":"root","id":79},"user":{"name":"suricata","id":29},"group":{"name":"NETWORK Service","id":33}},"md5_after":"dab811b702f24efb61c7efd05e2be6a8","sha256_after":"f97c2972e1810633c8f7607b49d23a5a5a33895fd807d686458bbd6b3e05"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T06:34:18.613Z","size_after":60,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":83038}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T11:16:44.411Z","size_after":12,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":14372,"mtime_before":"2023-03-07T11:15:44.411Z","inode_before":96113,"sha1_after":"31d67280ddc3f7822f3b9ceab98d9851baf54d10","changed_attributes":["mtime"],"md5_after":"d9ea6918f91febc29e6061d16b32e8a0","sha256_after":"b9d4c951be9188cf3b211b5fd786a17958b6132f967caa6b2f6785480f2f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T02:31:47.165Z","size_after":47,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":15811}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T16:13:54.705Z","size_after":34,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":16834}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T13:54:51.178Z","size_after":20,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":22760,"tags":["tmp"],"sha1_after":"3b3cac400bc44d958bbcae8d6abb7af815e15862","audit":{"process":{"name":"/home/user/sample","id":84315,"ppid":67454},"effective_user":{"name":"suricata","id":62},"user":{"name":"Administrators","id":38},"group":{"name":"NETWORK Service","id":16}},"md5_after":"3ffe90ef4ad9ed83089177e3fe1224b2","sha256_after":"fb56d9f27e0bffa3724d27f1d598fbf05b52fa5e7158dbaa1493d090ea80"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T16:48:36.992Z","size_after":55,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":9035,"tags":["tmp"],"sha1_after":"6c00586a3cc5b5b583ca3f9bd7c81850780c2e3b","audit":{"process":{"name":"/tmp/sample","id":611,"ppid":4438},"effective_user":{"name":"suricata","id":85},"user":{"name":"NETWORK Service","id":72},"group":{"name":"ec2-user","id":8}},"md5_after":"9eb72a5a56e7f70bc88a59f2f74acd43","sha256_after":"d5bfc404fc8d113497b620c6899f62f1ac929d400f1a4d3cdc05f5549849"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T16:47:26.839Z","size_after":49,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":62697}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T15:31:41.483Z","size_after":34,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":19328,"tags":["tmp"],"sha1_after":"eb3f1e3d89cd36198bed14ba96a8827192ba89ae","audit":{"process":{"name":"/home/user/sample","id":70155,"ppid":95462},"effective_user":{"name":"ec2-user","id":30},"user":{"name":"LOCAL Service","id":8},"group":{"name":"Administrators","id":52}},"md5_after":"9bdb5d4d518f61c29abea9d49ced4c6f","sha256_after":"077ea2a959c2367d592039974bb6d9f3a663fd71e3c305406d7d1d30e092"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T06:56:42.326Z","size_after":8,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":7738,"mtime_before":"2023-03-02T06:55:42.326Z","inode_before":96999,"sha1_after":"f8916b70e98ed9553483032b0b5bd3f2819787ce","changed_attributes":["sha1"],"md5_after":"39515553531d2e27387c13b308f5d91b","sha256_after":"ad2d123a6448c7505869134612f29c44276e449fedf0775d5626569ba622"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T23:56:55.062Z","size_after":50,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":68788,"mtime_before":"2023-03-06T23:55:55.062Z","inode_before":11631,"sha1_after":"02bb629f4125562b11acb1ca5cb4810295cae103","changed_attributes":["sha1"],"md5_after":"e450e09f03a1ef4c1f14a66f14f2d837","sha256_after":"586288d596fc422c8441a3b8523c6704b3651027305ed5342f1c1fa50050"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T14:34:48.155Z","size_after":6,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":17689}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-08T09:55:26.645Z","size_after":12,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":82729,"tags":["tmp"],"sha1_after":"62857d15c8482e8367b60bd5f7f4a4637f35342a","audit":{"process":{"name":"/home/user/sample","id":34635,"ppid":55987},"effective_user":{"name":"LOCAL Service","id":58},"user":{"name":"root","id":48},"group":{"name":"SYSTEM","id":23}},"md5_after":"0cd8418f7e92469e9f0a8e2736cc7fe6","sha256_after":"62fbec232fcd5bffd081b178a8cc8af43474d26f389a5aa41fd42da1fbd0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T11:42:48.419Z","size_after":39,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":6568,"tags":["tmp"],"sha1_after":"9111c18f7d3d5b4cdafdec0bc17600d64ba9b3e4","audit":{"process":{"name":"/etc/sample","id":98267,"ppid":98759},"effective_user":{"name":"LOCAL Service","id":71},"user":{"name":"SYSTEM","id":42},"group":{"name":"suricata","id":100}},"md5_after":"074f2198fc3203463a31bbd0af29d5bb","sha256_after":"6c2b8917e45ff452bf6b9c7b19b33f77e05750be1a3f94619bea13ab8c3b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T10:17:54.487Z","size_after":37,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":83680,"tags":["tmp"],"sha1_after":"6a389afb1067df40fffa6cd38f7352ee00422574","audit":{"process":{"name":"/tmp/sample","id":25750,"ppid":98676},"effective_user":{"name":"suricata","id":65},"user":{"name":"root","id":61},"group":{"name":"SYSTEM","id":85}},"md5_after":"1203e9296539c3e62bdc777bc7b02f6a","sha256_after":"5e08f86d5c987bd42194d6aa6567d001d6d6d360dfd3ab7897dbce5705d5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T09:05:13.190Z","size_after":64,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":91938}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T01:22:34.402Z","size_after":5,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":63655,"mtime_before":"2023-03-04T01:21:34.402Z","inode_before":97035,"sha1_after":"411cbdd83ccac9a35a179d097a295e831e794301","changed_attributes":["sha1"],"md5_after":"a738f8a23e614eaf5496574f112e0a5f","sha256_after":"502529b74f4ccc42aa165cac5f08a9ad1b2fef2f096daea71c1caac09941"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T16:53:53.903Z","size_after":43,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":19913,"tags":["tmp"],"sha1_after":"5cd90bcc02c46dcdb9ed4aa896e53b06aab7d8de","audit":{"process":{"name":"/tmp/sample","id":34579,"ppid":50820},"effective_user":{"name":"LOCAL Service","id":84},"user":{"name":"wazuh","id":89},"group":{"name":"suricata","id":93}},"md5_after":"14f2044734ed4f2f0251a5d0153853e4","sha256_after":"5e503535999b90249caca968c8c44e25f860e6160066a06adfcc49b5b31d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-08T09:45:12.567Z","size_after":35,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":5990}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T23:04:56.736Z","size_after":44,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":95141,"tags":["tmp"],"sha1_after":"23dc1b57ec3a312bcac86843e138074b54a03697","audit":{"process":{"name":"/home/user/sample","id":5465,"ppid":49775},"effective_user":{"name":"NETWORK Service","id":62},"user":{"name":"ec2-user","id":14},"group":{"name":"SYSTEM","id":92}},"md5_after":"7683244c2d4520e9712bf2ca67a342c4","sha256_after":"5aa69b3efb2b9ec143cc3a9030c060625e4132699c26de855df7cc027845"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T07:44:23.074Z","size_after":52,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":73902,"mtime_before":"2023-03-06T07:43:23.074Z","inode_before":75159,"sha1_after":"9c7c4ee73a809de73ca23a1f7072da30b784685f","changed_attributes":["tmp"],"md5_after":"c65b2c253ef38498a4253711e4f4a1bf","sha256_after":"05187f2320c5ef57ffa3918ab9e56b6cfa59d38412056dc39c1fd61a6c5c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T06:30:46.142Z","size_after":34,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":28728,"tags":["tmp"],"sha1_after":"511fe0c96bde6358413f92089a384f3a79a724d5","audit":{"process":{"name":"/home/user/sample","id":37688,"ppid":71403},"effective_user":{"name":"LOCAL Service","id":13},"user":{"name":"root","id":31},"group":{"name":"SYSTEM","id":36}},"md5_after":"f9d9238c4871f0a61e361e3ef3592204","sha256_after":"94ab79cc7224ea64378fb520f4d157d733d4bf2054042897299d85011d91"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T00:19:15.629Z","size_after":37,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":42527,"tags":["tmp"],"sha1_after":"a02911225cd70ad6cfc40716b78ae6cebd808fdb","audit":{"process":{"name":"/home/user/sample","id":33524,"ppid":22507},"effective_user":{"name":"ec2-user","id":88},"user":{"name":"SYSTEM","id":92},"group":{"name":"SYSTEM","id":54}},"md5_after":"03bf866a77fd2ffdb5dad13bf675aece","sha256_after":"19d0565512f5d10a456947a6404db9ccc75c4925362052e41873f898fd9e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T04:38:42.386Z","size_after":5,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":90189,"tags":["tmp"],"sha1_after":"c9959f4b0bac8373edafe1fb0ff67d9f9f92035b","audit":{"process":{"name":"/home/user/sample","id":50835,"ppid":84567},"effective_user":{"name":"root","id":48},"user":{"name":"LOCAL Service","id":20},"group":{"name":"wazuh","id":24}},"md5_after":"07020a125c60544265a21e745e1cb006","sha256_after":"19020b6bf49de793e807f162b5c17312e8a958957ddb91077678b9fa7642"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T14:17:48.673Z","size_after":11,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":29176,"mtime_before":"2023-03-03T14:16:48.673Z","inode_before":71783,"sha1_after":"fee5bf31f84230aecc62b9f57cb120cf76eb90f4","changed_attributes":["tmp"],"md5_after":"de5ebbdba683e24ef35136d0cf5abfea","sha256_after":"3fcfa24745d3cab09db27a6a4458f9a532a9fccdfc9d83a22bdf8e80e3fe"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-01T21:59:41.833Z","size_after":22,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":99752,"tags":["tmp"],"sha1_after":"044b5b425cf37c04f305dd6a97198e19825a7d3c","audit":{"process":{"name":"/etc/sample","id":78247,"ppid":91612},"effective_user":{"name":"suricata","id":15},"user":{"name":"ec2-user","id":62},"group":{"name":"LOCAL Service","id":54}},"md5_after":"2aba0913a5b33eed6a90c6888048f466","sha256_after":"72c37c88fe66f0ff898622a358937aec3693618d688231459d1bcab2c958"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T23:48:57.559Z","size_after":20,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":84742,"tags":["tmp"],"sha1_after":"530b7f8ac33b575398d3cc48ab53550aa9e392f3","audit":{"process":{"name":"/etc/sample","id":33508,"ppid":22960},"effective_user":{"name":"SYSTEM","id":49},"user":{"name":"LOCAL Service","id":45},"group":{"name":"root","id":46}},"md5_after":"99e9ae61ea50801a4aeedb19f5bf40b0","sha256_after":"e4bd6a6a1d1c9b36819f4d28db79b06d79ac23f5fc35ee5beb44a03cd261"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T22:28:42.363Z","size_after":23,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":75989}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T15:36:03.709Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":99315,"mtime_before":"2023-03-02T15:35:03.709Z","inode_before":66535,"sha1_after":"053eaf722d3076f53e734f1be0a5f624673ef0b9","changed_attributes":["mtime"],"md5_after":"1acf4441fee2b5ba4ad60cf3aed9efc5","sha256_after":"01deff0e759159c5e3cd85be1b328a95a24266ff2fa6c0e4b79c8c95dbc0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T07:13:55.268Z","size_after":25,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":37109}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T01:27:42.813Z","size_after":64,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":85674}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T17:57:52.801Z","size_after":54,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":2630,"mtime_before":"2023-03-05T17:56:52.801Z","inode_before":21265,"sha1_after":"217b27bafa658b1289608b5874803a7e9cb399a8","changed_attributes":["tmp"],"md5_after":"7fe65e6178ba0b9fd03d5f5b2add85f6","sha256_after":"e31d7b36e1373fee3af818cf72882e0e6ea1c335016195b7225d4291fd37"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T06:13:45.433Z","size_after":57,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":93449}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T04:19:16.912Z","size_after":58,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":27240,"tags":["tmp"],"sha1_after":"5d0bf2db1eba48679d185cca5286252b97742d96","audit":{"process":{"name":"/tmp/sample","id":86301,"ppid":11953},"effective_user":{"name":"root","id":14},"user":{"name":"root","id":22},"group":{"name":"suricata","id":45}},"md5_after":"3575523fd1dce895d795184b653d1265","sha256_after":"74108e70769f0be1d92e9b8a5f8f78c8105d507c2de673c5de9a46ad5d5f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T22:59:00.083Z","size_after":56,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":78507}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T19:25:56.304Z","size_after":30,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":26177}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T16:41:13.874Z","size_after":10,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":62185}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T23:08:46.126Z","size_after":59,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":65230}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T14:30:28.715Z","size_after":52,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":62985,"tags":["tmp"],"sha1_after":"35b51cb24bbf4ace8b46a19c85288f0aa4b8bea0","audit":{"process":{"name":"/etc/sample","id":1177,"ppid":44036},"effective_user":{"name":"ec2-user","id":62},"user":{"name":"NETWORK Service","id":54},"group":{"name":"LOCAL Service","id":13}},"md5_after":"59995458eeef795a99e6ce67506adcf9","sha256_after":"b243ca49c93dbea74ed6e25a5cdfbff21aa0a37d357697cad8c25451a283"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T10:25:57.122Z","size_after":12,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":69379}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T00:21:42.494Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":58359,"mtime_before":"2023-03-02T00:20:42.494Z","inode_before":63692,"sha1_after":"ab1ed8d2aaf434d0bc8d73dd1f72f8115284b596","changed_attributes":["md5"],"md5_after":"809abcf4c65681cd5fd0a7acc360b7c3","sha256_after":"f7107188da7a094f8826307642b6a5e55f4a221cbe9ed88e784384acd7ec"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T08:09:46.768Z","size_after":23,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":21597}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T17:51:26.553Z","size_after":33,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":16996,"mtime_before":"2023-03-04T17:50:26.553Z","inode_before":75556,"sha1_after":"2987c84a7b0db3c97ac90bed2b3f4544055d0029","changed_attributes":["sha1"],"md5_after":"8cb537d71fa72f771ce892faf46a8fb6","sha256_after":"21cc15c33d09cc9109d078fb6b00427e0360f830f26a54cc25a914218348"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T09:46:41.550Z","size_after":1,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":23766,"mtime_before":"2023-03-04T09:45:41.550Z","inode_before":92889,"sha1_after":"c6a29d6b450b3a5324586d86cd837e1bc2c8d538","changed_attributes":["size"],"md5_after":"d65b979e5661aa20da20ca0bb67711cd","sha256_after":"f88101562634f8adebe325f8424ec77fd17d1fca6931247298d1cc2d4dcc"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T16:23:14.407Z","size_after":7,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":2887,"mtime_before":"2023-03-06T16:22:14.407Z","inode_before":42701,"sha1_after":"a472b04625bca3d6713b181bd8c3cd54590ec11a","changed_attributes":["inode"],"md5_after":"40f478214256cf980034786c9892af8d","sha256_after":"441994cd8c79c3711bfdf27226864338cf630069ea31e25a41d1800ed12f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T06:51:28.257Z","size_after":31,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":87884}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T08:46:37.849Z","size_after":0,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":14140}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T03:21:24.603Z","size_after":38,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":70344}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T04:57:38.711Z","size_after":62,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":85007,"tags":["tmp"],"sha1_after":"ce16d3c8ec66ebeb03bac27e5d851097f02833e2","audit":{"process":{"name":"/etc/sample","id":81279,"ppid":13267},"effective_user":{"name":"NETWORK Service","id":83},"user":{"name":"SYSTEM","id":7},"group":{"name":"NETWORK Service","id":31}},"md5_after":"1b940189bc250eee6ee51a59f5753baa","sha256_after":"fcca6e7f5a87a6cf3d834bc646b15e3a9cdf8a830c2c569553329c714864"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T23:16:17.620Z","size_after":9,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":84633,"tags":["tmp"],"sha1_after":"6c090f170d4e2f7a194212a3fc09bcf37c45ca0d","audit":{"process":{"name":"/tmp/sample","id":64192,"ppid":37799},"effective_user":{"name":"Administrators","id":57},"user":{"name":"wazuh","id":1},"group":{"name":"SYSTEM","id":90}},"md5_after":"dcdc01183107deb04d19868ae5b921c9","sha256_after":"ff0d6a7a0c91739723583458a1bd03a2a57998459e108670f7e0e97d1d95"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T15:19:33.387Z","size_after":36,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":59097}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T12:52:03.875Z","size_after":26,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":84534,"mtime_before":"2023-03-01T12:51:03.875Z","inode_before":96642,"sha1_after":"a8c6caa0b0f7c3ba00668a2b26dbfb1921cbb000","changed_attributes":["md5"],"md5_after":"8847712b37e12f51da6fc073e3bab8cd","sha256_after":"92db82eb1e415362b41ad9116afe6e562a3ef2310d533edd7f4bd0ab0dc5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T09:34:42.056Z","size_after":21,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":893,"mtime_before":"2023-03-07T09:33:42.056Z","inode_before":25526,"sha1_after":"62af675223d818cbd80f5a823a98956db661b4a6","changed_attributes":["mtime"],"md5_after":"87713ec5e781676887680027b07cad31","sha256_after":"4cedbd24be5168c8b0396e8461c52db3cf537ef245de8c6a07857ed7e2e6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T16:18:45.418Z","size_after":6,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":8001,"mtime_before":"2023-03-06T16:17:45.418Z","inode_before":19489,"sha1_after":"b0705d8e510c6f8fbed814a2062ab7fc00a72cbc","changed_attributes":["sha256"],"md5_after":"0a56db3b8b5cf2ce0eab9cb87a2f9436","sha256_after":"49b452e66e05bafd484e3d9ab625e2860ff9e4801b5dbe7e5b48f9ab2a20"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T12:01:11.855Z","size_after":10,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":56610,"tags":["tmp"],"sha1_after":"55ac86fa2f03fde20a866041584f501dc9141a6e","audit":{"process":{"name":"/home/user/sample","id":59526,"ppid":490},"effective_user":{"name":"SYSTEM","id":77},"user":{"name":"suricata","id":70},"group":{"name":"wazuh","id":63}},"md5_after":"a40d0c34e2f38cbabb688c8d1accf821","sha256_after":"22eada2f9107e90d8f92febaa8f0fdd0a26f1316a16be2a1ab4ef3b72b28"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T03:33:20.393Z","size_after":15,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":47916,"tags":["tmp"],"sha1_after":"67aab6b6db71a57cc6955e8e9794b9e83598c26a","audit":{"process":{"name":"/home/user/sample","id":84940,"ppid":43350},"effective_user":{"name":"wazuh","id":10},"user":{"name":"NETWORK Service","id":51},"group":{"name":"LOCAL Service","id":82}},"md5_after":"0d38e8089c38f5985a42d9c356ec9a6b","sha256_after":"2bc74025edb8e3689e3c5b25c4cc44dc15716e3053ea7ce16f3f4fb3862e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T16:29:14.442Z","size_after":39,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":93993,"mtime_before":"2023-03-03T16:28:14.442Z","inode_before":26465,"sha1_after":"cfe970f9c1976462be967b0186dfd0b9e9181680","changed_attributes":["sha1"],"md5_after":"bcb25fb7d020312b5ed0f93dc2ac5daf","sha256_after":"f1560374b5f83f0ef6de8c134408322f94f91d8cf80c1f6e85f9c34467fb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T23:11:06.045Z","size_after":39,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":91854,"mtime_before":"2023-03-03T23:10:06.045Z","inode_before":43810,"sha1_after":"efffbddde3a3acb707e7d723940b6a16978601c6","changed_attributes":["size"],"md5_after":"76f1af07fda764fbf281cf8e60eba79c","sha256_after":"4f89177b9a995ecded8fb0c54bf242875d29fcc9b3a837ac77698fa19613"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T07:56:11.566Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":78047}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T04:24:13.146Z","size_after":65,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":1036,"mtime_before":"2023-03-07T04:23:13.146Z","inode_before":58447,"sha1_after":"bbe76b8717d0d087f60fe57dfb9ed8fe16522430","changed_attributes":["inode"],"md5_after":"07db486ba77a4a1d32198718bb073649","sha256_after":"b195801ff0bf77924c806a40f225e91baa9946db51f450eeb917ceb6b719"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T20:31:42.264Z","size_after":36,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":85998}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T15:51:39.609Z","size_after":65,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":50432}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T00:54:51.046Z","size_after":4,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":39846,"mtime_before":"2023-03-02T00:53:51.046Z","inode_before":67023,"sha1_after":"280c88748b486c9403e7e6f2434ed23ad9d3ca9d","changed_attributes":["inode"],"md5_after":"0a4cb32eab0aef16138f0dbae7ded978","sha256_after":"080b1a35bcf9e3a324600f54426266e91e3bb906c278354db31ec9573e01"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T01:07:07.381Z","size_after":16,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":78848,"tags":["tmp"],"sha1_after":"08c566f87382419d7368488d23b6a698e3bece51","audit":{"process":{"name":"/home/user/sample","id":67049,"ppid":63661},"effective_user":{"name":"SYSTEM","id":63},"user":{"name":"wazuh","id":18},"group":{"name":"suricata","id":41}},"md5_after":"1ed2b3506c54ab0fa21db9f71a3151a5","sha256_after":"4d0c6e47f66b8322b1539acdd7543317d9b804e34b6ebc53795fd4d6a6c3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T08:06:58.998Z","size_after":37,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":95903,"tags":["tmp"],"sha1_after":"e9d52a69834b857a2756452294709ff6d25fcb6c","audit":{"process":{"name":"/etc/sample","id":42354,"ppid":90908},"effective_user":{"name":"SYSTEM","id":27},"user":{"name":"Administrators","id":65},"group":{"name":"SYSTEM","id":15}},"md5_after":"9afa5be04ebe66a4e99a7b9c8e8cd584","sha256_after":"3d12000713d1faeab6f25141ebd04f18565f5a426a8b5c6259426b439ebb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T05:22:40.395Z","size_after":23,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":37483}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T15:47:55.653Z","size_after":62,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":20994}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T01:30:22.621Z","size_after":46,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":73541,"mtime_before":"2023-03-03T01:29:22.621Z","inode_before":94214,"sha1_after":"94be5e04ebc88c2cd6be6589a1ff62b9f9ec2466","changed_attributes":["sha1"],"md5_after":"f1e803ff645d54dbfa69e424368c09e7","sha256_after":"41e42617fdf21c5ea89d56724b52c2645ea32d53195fe8dba91548b91d4b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T20:09:18.372Z","size_after":46,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":55218,"mtime_before":"2023-03-02T20:08:18.372Z","inode_before":33353,"sha1_after":"45d65cfdb2e041883120832e441779b3fc744b34","changed_attributes":["inode"],"md5_after":"ea9e5443f6d9352c5129b51457319083","sha256_after":"b3485395a0b7f7b12a85a0788bb3fa78017ea4495f585a6afc527bea8a47"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T19:44:02.514Z","size_after":51,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":91510,"tags":["tmp"],"sha1_after":"492e03c983bd8ce2d7cc1e9fcb34d4464f8d929b","audit":{"process":{"name":"/etc/sample","id":42462,"ppid":48876},"effective_user":{"name":"wazuh","id":92},"user":{"name":"Administrators","id":25},"group":{"name":"Administrators","id":53}},"md5_after":"610c9839e5e88385d34424ea3106dadd","sha256_after":"0e1f58a8882f0a5ca1e2b68fdb864f29f0100cbe0db156e5870838dd189a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-08T00:31:56.888Z","size_after":19,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":24715}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T01:12:40.402Z","size_after":18,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":18849,"tags":["tmp"],"sha1_after":"100667370777944a74bbd35c21058a55af12ff9a","audit":{"process":{"name":"/tmp/sample","id":61979,"ppid":9413},"effective_user":{"name":"wazuh","id":94},"user":{"name":"wazuh","id":96},"group":{"name":"SYSTEM","id":86}},"md5_after":"e3d2937b5499c08fcb8670ee8574bb98","sha256_after":"b3240194f7fcbb29cae8927930ea0783d0768622469f6d4b365478e289d3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T15:31:24.103Z","size_after":7,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":74133,"mtime_before":"2023-03-06T15:30:24.103Z","inode_before":10289,"sha1_after":"ec56fc42fa9566a368cb2849c611076f3b87483f","changed_attributes":["mtime"],"md5_after":"21e2e58ae08d8ae354a97be7e8bc8d29","sha256_after":"d4e32fd06285e98bb56bb9b42d6ab891041694b83d72d1025a7ed85b249d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T18:16:56.083Z","size_after":20,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":84203,"mtime_before":"2023-03-03T18:15:56.083Z","inode_before":79140,"sha1_after":"1331fdfeab8e7a337f506aa2439b49a479f5dd7c","changed_attributes":["sha1"],"md5_after":"9110854b1c34b9bf3e6611b5703d0387","sha256_after":"c042bdd23fffaebca197a24858ad14860761bc193e8f6c0a6e3e4b45e42d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T00:08:51.562Z","size_after":57,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":52523,"mtime_before":"2023-03-04T00:07:51.562Z","inode_before":21301,"sha1_after":"4789c20edb9844a3699c9211db3d8b261b50c9a7","changed_attributes":["inode"],"md5_after":"c4a07e8748630fb198e73906686b8d15","sha256_after":"d6d5fa2163ac7c21c7492c621e7efb6ac4f03c93c6e626b4e6c39d30c0e7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T23:22:34.292Z","size_after":4,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":44670,"tags":["tmp"],"sha1_after":"12ce3397621ecf37ca40fca8aa37cf1dc7c89a3f","audit":{"process":{"name":"/tmp/sample","id":72669,"ppid":70268},"effective_user":{"name":"wazuh","id":99},"user":{"name":"NETWORK Service","id":63},"group":{"name":"Administrators","id":15}},"md5_after":"1b8e69b92765c5f5b4e2667fa7aee890","sha256_after":"12903bcb816d52143f6046d1e8f6baf7a886ff3d0fae31a8692a4197b73d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T05:12:27.242Z","size_after":60,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":88589,"mtime_before":"2023-03-02T05:11:27.242Z","inode_before":1317,"sha1_after":"672c578c2d4245fd8c6c775dbcc0c3e52e3bfa76","changed_attributes":["sha256"],"md5_after":"dac8743c2e8075e06650d8658301f1b0","sha256_after":"a6a7197ce895ed591aa3a5f1d3bb39bfaede33574a9fb58914f4e54d5665"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T23:27:42.244Z","size_after":63,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":17176,"tags":["tmp"],"sha1_after":"b2192dbcc7a7efd9f53eb83fe19f8814d94c83c0","audit":{"process":{"name":"/tmp/sample","id":9375,"ppid":45599},"effective_user":{"name":"wazuh","id":13},"user":{"name":"Administrators","id":42},"group":{"name":"root","id":23}},"md5_after":"eab6ae1fd4e7a63dac430c9ee9019966","sha256_after":"faea9e546f60fa8a3585f90d5014c463054ac6ef0643833621e77a24cabb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T06:07:37.051Z","size_after":34,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":79421,"mtime_before":"2023-03-04T06:06:37.051Z","inode_before":36064,"sha1_after":"f115705d853b490ed8875e3880722e58f881dd92","changed_attributes":["size"],"md5_after":"a2bf27b44e8deee94194652c012ba62f","sha256_after":"991342e6603337af251c2fba44934319b95de4b293c3634669305fdbfaf7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T11:43:21.558Z","size_after":0,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":30038}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T06:57:41.464Z","size_after":29,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":78755}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T23:18:26.539Z","size_after":33,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":87629}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T22:48:50.021Z","size_after":30,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":164}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T22:16:41.097Z","size_after":19,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":44780,"tags":["tmp"],"sha1_after":"87ddfe15aaa81c1a97c1ccfdd8808718148359b9","audit":{"process":{"name":"/home/user/sample","id":5346,"ppid":27015},"effective_user":{"name":"root","id":55},"user":{"name":"Administrators","id":12},"group":{"name":"Administrators","id":2}},"md5_after":"70ede2d7a9298e432461380ea06906bd","sha256_after":"ae61e842d75af50c9a949bc11d503e2ef027fe4256c61ebd7567fe782927"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T13:24:54.122Z","size_after":53,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":39186,"tags":["tmp"],"sha1_after":"231d98781e52d255ad2ffbfc45557b7fe417ddb5","audit":{"process":{"name":"/etc/sample","id":11773,"ppid":87315},"effective_user":{"name":"root","id":0},"user":{"name":"ec2-user","id":59},"group":{"name":"ec2-user","id":100}},"md5_after":"d5ee1be9f411802fb496c6928d9c0f7c","sha256_after":"76036106aeb0b8b78c7d80f0723731ca50e24c007e170d8e93625f1c5bc9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T22:46:46.955Z","size_after":19,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":62381,"mtime_before":"2023-03-01T22:45:46.955Z","inode_before":29390,"sha1_after":"02fe08386bfcd3f97986aaa257ddaf2dac989f98","changed_attributes":["tmp"],"md5_after":"fc134e8cd76efc4b657aa5c0cb626c1f","sha256_after":"2b39401fb427e5136aa7739e171e86f4c73e0e4b8f3f7e2485c4bc6f54bb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T13:59:48.119Z","size_after":19,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":30340,"tags":["tmp"],"sha1_after":"359e81dfee43544ccba36a12d610313e7a0dad5f","audit":{"process":{"name":"/etc/sample","id":4417,"ppid":46879},"effective_user":{"name":"Administrators","id":54},"user":{"name":"suricata","id":93},"group":{"name":"Administrators","id":66}},"md5_after":"cc24910a055a1ce53921bb7c34bd967c","sha256_after":"143f9ab8757caa591f0c961d4b1dbb5e8f1740d9e478c02ae4f536e6220a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T11:29:00.525Z","size_after":14,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":36549,"mtime_before":"2023-03-03T11:28:00.525Z","inode_before":11641,"sha1_after":"ee2ded483fad9cc07a29afad53f8b4351b48ea71","changed_attributes":["mtime"],"md5_after":"cac8c9dae38b13b8b8839843463c2e3b","sha256_after":"7508573f937d7179401e485abdf0db27f5386384867b8d272092eabc1ecf"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T15:01:04.359Z","size_after":6,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":5364}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T00:38:25.737Z","size_after":33,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":26405,"tags":["tmp"],"sha1_after":"f2c14245e15f230342c942a1e397c5b5e65318e6","audit":{"process":{"name":"/etc/sample","id":38744,"ppid":14499},"effective_user":{"name":"root","id":62},"user":{"name":"NETWORK Service","id":43},"group":{"name":"wazuh","id":69}},"md5_after":"8c8be7e7ed57f29a1478d1f5a5b84e85","sha256_after":"2cd100eb018df3a6c3daba7e779fbfbd6bf27cf8ff31ded92fec95f2a4a5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T21:28:07.968Z","size_after":7,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":85774,"tags":["tmp"],"sha1_after":"391580eb3cc2eaba11955f9891c2fe2e91fd1ad6","audit":{"process":{"name":"/etc/sample","id":91960,"ppid":32051},"effective_user":{"name":"wazuh","id":70},"user":{"name":"root","id":63},"group":{"name":"root","id":57}},"md5_after":"36c51e4db94d4ec062d0bbd43e92aeca","sha256_after":"05a590b2ace1c8768b3cbb38d26e8c35390497b6d30d2be32af8202c9609"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T07:23:28.420Z","size_after":64,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":40305}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T21:29:53.126Z","size_after":22,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":73177,"tags":["tmp"],"sha1_after":"66f36e8bca90b2eef4acf742a3274f9a25259492","audit":{"process":{"name":"/tmp/sample","id":9713,"ppid":90471},"effective_user":{"name":"wazuh","id":78},"user":{"name":"NETWORK Service","id":2},"group":{"name":"wazuh","id":87}},"md5_after":"ed1f48f65e50e756a7b7ddef0e23c087","sha256_after":"dbfabf39838320c51442c138c68cc5e04045d146c0516c6cee5545c1637c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T02:40:46.833Z","size_after":3,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":10500,"tags":["tmp"],"sha1_after":"b7f45782ff86832747691ded42122c0bdd6561d8","audit":{"process":{"name":"/tmp/sample","id":58314,"ppid":62638},"effective_user":{"name":"ec2-user","id":68},"user":{"name":"wazuh","id":21},"group":{"name":"NETWORK Service","id":37}},"md5_after":"7bcb27a430114212c5401e46080122fd","sha256_after":"5ebcf5658327b0849b3b2049bdb85434c28fe81553f0b4cd79f49e57a8ba"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T15:41:21.454Z","size_after":3,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":47709,"mtime_before":"2023-03-01T15:40:21.454Z","inode_before":97251,"sha1_after":"a3150a6c035df4b52c43c48e54514f655330f979","changed_attributes":["inode"],"md5_after":"b0ce62a81be8e3756e4ce6e2d912743c","sha256_after":"3176e2214e24cf33d479361d1da27d8a585ba2bdff8514317ddc01ddd8a9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T09:48:15.761Z","size_after":29,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":26798,"tags":["tmp"],"sha1_after":"5d318074766a0097347f528951f557a41e653337","audit":{"process":{"name":"/home/user/sample","id":43970,"ppid":10702},"effective_user":{"name":"SYSTEM","id":44},"user":{"name":"SYSTEM","id":93},"group":{"name":"LOCAL Service","id":29}},"md5_after":"dc3d284083c4c9050b4125b0db04ddd0","sha256_after":"a6645af083511b75dbd7714d515c1be3ea4ec4ee3ecf2f582be3b036e4b2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T19:48:48.054Z","size_after":44,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":47120}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T13:10:39.156Z","size_after":51,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":80878,"mtime_before":"2023-03-05T13:09:39.156Z","inode_before":34393,"sha1_after":"ab8558fbfe7a483d1ff1309ef2a6d1bdec08cba5","changed_attributes":["size"],"md5_after":"c9fab3e95dabed3bca0ff1f7c3e3bd21","sha256_after":"36fdf09d570a5f95c3f9e0c7ef15f0b1afd473e0a0e9bc406fd3d5ad1e7a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T07:06:26.197Z","size_after":53,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":79236,"tags":["tmp"],"sha1_after":"f762395d0a014e6a7051f403c70231ea51c5830a","audit":{"process":{"name":"/tmp/sample","id":82635,"ppid":79953},"effective_user":{"name":"wazuh","id":44},"user":{"name":"root","id":98},"group":{"name":"LOCAL Service","id":26}},"md5_after":"3f6394088f3fb868c1a37a5de598c89b","sha256_after":"1767931c94e7ff57d5af530c78cd3eee299484eae390a0cf3c2d2ee86493"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T03:26:30.692Z","size_after":24,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":62498}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T18:16:58.510Z","size_after":55,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":94853}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T05:15:06.733Z","size_after":61,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":64833,"mtime_before":"2023-03-06T05:14:06.733Z","inode_before":32736,"sha1_after":"6f44d4bc8996d3fbda2e0c53d5e28f105e1c9dcd","changed_attributes":["tmp"],"md5_after":"1b2ee32822c2a8f53d9da609dbaf51f9","sha256_after":"f2e52a9f87b9228213409391018731df2471e1f5557f29d37d635df4ed20"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T19:33:40.009Z","size_after":17,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":27528,"mtime_before":"2023-03-05T19:32:40.009Z","inode_before":67695,"sha1_after":"a032cbe66d3dfde7df7b9049d35e48f947660d1e","changed_attributes":["tmp"],"md5_after":"9ac3ddd4b0d6aee583e550d0bfd77e3f","sha256_after":"af29838b0572651a64f2592f9facd426fbca2d4860a0d739ac3bed29371d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T22:20:21.558Z","size_after":24,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":69954,"tags":["tmp"],"sha1_after":"71f78f292824cf1106636baa80865974a7c6d872","audit":{"process":{"name":"/tmp/sample","id":32711,"ppid":25380},"effective_user":{"name":"LOCAL Service","id":97},"user":{"name":"suricata","id":63},"group":{"name":"NETWORK Service","id":1}},"md5_after":"e4724555162641621e52e86b701ea659","sha256_after":"0acf898e350f7ee3080c142329d7c544c72dc3c1273e2c8702ac1dac3236"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T18:36:09.145Z","size_after":17,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":75866,"mtime_before":"2023-03-07T18:35:09.145Z","inode_before":19492,"sha1_after":"2ae72427087c158148e37dc3cb71d12211b93c93","changed_attributes":["inode"],"md5_after":"a26a4e81e2b6f241f1770b8345dd4142","sha256_after":"f9cce99fa7a295cdbb6a8931526f06e3350a1ce12b7828513f916c4e7325"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-01T17:33:41.946Z","size_after":37,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":68226,"mtime_before":"2023-03-01T17:32:41.946Z","inode_before":2004,"sha1_after":"96de0ec60f27113b28c7d73d98a12b62f1bbc547","changed_attributes":["sha256"],"md5_after":"081d873edf020911e1ed8dea0fe8d373","sha256_after":"af47b7c35d3d6202dc91606f3bf9bdfa898014a635731af869360c1f1150"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T14:40:15.784Z","size_after":49,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":92759}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T07:08:34.176Z","size_after":42,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":3053,"mtime_before":"2023-03-07T07:07:34.176Z","inode_before":91155,"sha1_after":"955792d5d55014da6541f9bcc44867548ca18c2d","changed_attributes":["md5"],"md5_after":"da08a49333dc05bdfb5cb6f478bf50df","sha256_after":"696de82a8688d200c45b46f57506d428500a0f60bb831442ac30c8eac149"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T17:16:49.838Z","size_after":23,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":84096,"tags":["tmp"],"sha1_after":"d4b3afb0973f1692963f5372cf580f15aad450c4","audit":{"process":{"name":"/home/user/sample","id":21114,"ppid":87075},"effective_user":{"name":"Administrators","id":100},"user":{"name":"Administrators","id":44},"group":{"name":"Administrators","id":98}},"md5_after":"972f3b1fdac1e256cfb41b6a08fb7c3a","sha256_after":"a3dc9b78b659e9490748ca3cb6127b7cfacf9a65c43cdfb82792dabdffb8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-08T09:30:30.288Z","size_after":7,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":19228,"mtime_before":"2023-03-08T09:29:30.288Z","inode_before":66302,"sha1_after":"d2bac8ee4f4e2e8b1b9c5c55f262fcfb0880cf2b","changed_attributes":["sha1"],"md5_after":"a31ba7bda45aec43eacdd8d84b4030bd","sha256_after":"d8533238e7eabfe1912aaa3431ab0528755f975f9a403db9a2aaebb0ca0b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T10:41:26.034Z","size_after":26,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":17040,"tags":["tmp"],"sha1_after":"02d1d11c4c618f8e2d526112d3b0eae311e644a4","audit":{"process":{"name":"/etc/sample","id":76325,"ppid":70783},"effective_user":{"name":"suricata","id":64},"user":{"name":"wazuh","id":99},"group":{"name":"wazuh","id":26}},"md5_after":"f45317016e3934e727e70c9dc5aaa9de","sha256_after":"4fe8eaa09bf37fcd0c86b8cdfaafd400258ed48eddaad83584671dbb8430"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T02:33:10.676Z","size_after":41,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":97733,"mtime_before":"2023-03-02T02:32:10.676Z","inode_before":9460,"sha1_after":"0dfad19c896c69d14e0431dc950550981e364006","changed_attributes":["sha256"],"md5_after":"7b1da4525aebb4e3fd6f8818ba1226ca","sha256_after":"ac6aab9395b9d2b1b781624a9174d3eac94f14b9039dc1e6e147969688e9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T02:47:36.092Z","size_after":53,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":68871,"tags":["tmp"],"sha1_after":"46aa0e7f9fd7bd6d9b9ad26ff4474023bcf51ecb","audit":{"process":{"name":"/etc/sample","id":35552,"ppid":27465},"effective_user":{"name":"Administrators","id":97},"user":{"name":"NETWORK Service","id":99},"group":{"name":"Administrators","id":94}},"md5_after":"8c95def9cb88fc461d14f0a44925738d","sha256_after":"8834509269c65dc51420ecd1d924b164c374551cab53d7a775015751506a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T20:25:15.004Z","size_after":51,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":83646}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T12:40:50.550Z","size_after":51,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":18599,"tags":["tmp"],"sha1_after":"2bdff99f8a396a6366fb2cc0341bf0c59d305662","audit":{"process":{"name":"/home/user/sample","id":17120,"ppid":54213},"effective_user":{"name":"NETWORK Service","id":77},"user":{"name":"Administrators","id":6},"group":{"name":"LOCAL Service","id":16}},"md5_after":"a8fb10b4440a5028ce97fa246828a7c2","sha256_after":"642fa553107162708c421d4b811b2310bbe86c9f0e40a98c9bc876f6fc36"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-856620481-996501011-1859314257-500","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-08T02:26:13.952Z","size_after":50,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":76246,"mtime_before":"2023-03-08T02:25:13.952Z","inode_before":10309,"sha1_after":"e817b2d97b260ad09c86017f4c131f463b5ace0c","changed_attributes":["md5"],"md5_after":"53cfe97f63657a096a560ae0c07bbd90","sha256_after":"de94f7b7d2e3021837d3a16ae8c0578ca884412fbebcb7519d8e56956e4a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-01T22:58:54.530Z","size_after":27,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":64807,"tags":["tmp"],"sha1_after":"c94c567feb855326a065926eb0e1fe7f6d11a784","audit":{"process":{"name":"/etc/sample","id":35250,"ppid":41747},"effective_user":{"name":"SYSTEM","id":33},"user":{"name":"SYSTEM","id":30},"group":{"name":"NETWORK Service","id":82}},"md5_after":"9ab158495c33d19eddd95792ab508c48","sha256_after":"75c22289f77abbfaff07f0e204fa4a47449c339111abbb1484bff2479304"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T13:34:16.921Z","size_after":57,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":81777,"mtime_before":"2023-03-06T13:33:16.921Z","inode_before":1195,"sha1_after":"da73ff9ff8974cd4b13ca56e0ce284761a62383f","changed_attributes":["sha256"],"md5_after":"91ef55f109350dd81d827b01f9ab6686","sha256_after":"2893c11db1fabbcb203479a18bc8209958e486e3e7cc3ef161b3dff40a39"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T01:34:16.138Z","size_after":38,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":18094}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T00:30:06.496Z","size_after":65,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":74917,"mtime_before":"2023-03-07T00:29:06.496Z","inode_before":73736,"sha1_after":"3acdc2c49d7ca2859707d6314b82f06ad6038d1f","changed_attributes":["inode"],"md5_after":"949da233fdc1eca19b1baa7d65f86c56","sha256_after":"ae84b5ebdc26c50f6bbdce3ebb250f15a4307811531beb65aeadf2e50210"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T23:25:42.773Z","size_after":12,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":72905,"mtime_before":"2023-03-03T23:24:42.773Z","inode_before":56398,"sha1_after":"238b5b328936c0a6779ecba65803fcfa3b07a21b","changed_attributes":["tmp"],"md5_after":"97e06c1e91615f5fb4ed21cf199962c9","sha256_after":"13672df210fc2061540aa86958176a4223d8565c70fc9a18da8833f17b0f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T02:34:54.090Z","size_after":47,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":19426}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T21:46:41.756Z","size_after":31,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":25648,"tags":["tmp"],"sha1_after":"2511bbb3c4cc124207a5a9a58626d9af5c86f6ff","audit":{"process":{"name":"/etc/sample","id":69789,"ppid":95243},"effective_user":{"name":"NETWORK Service","id":96},"user":{"name":"LOCAL Service","id":71},"group":{"name":"LOCAL Service","id":25}},"md5_after":"0319427a6e1cb149a40acf90d099572a","sha256_after":"a0a0c8400eec71788d59de67f218e820b3c62a493e2b1b79bea59209d3c2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-08T03:00:44.376Z","size_after":51,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":91672,"mtime_before":"2023-03-08T02:59:44.376Z","inode_before":50255,"sha1_after":"e41dccaa5abbfad2de902562fc8a5ef284d504e5","changed_attributes":["inode"],"md5_after":"12748cdf353a1017397c314b5627d6b8","sha256_after":"91be26288968b67befd075f451c9edd2e6e184230869f9005a107811898a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T14:31:45.593Z","size_after":31,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":77403,"tags":["tmp"],"sha1_after":"806bda44b6a92ca38c5c4665ee32e6c1ae967eb5","audit":{"process":{"name":"/home/user/sample","id":22835,"ppid":54454},"effective_user":{"name":"Administrators","id":58},"user":{"name":"suricata","id":16},"group":{"name":"root","id":48}},"md5_after":"b8c3ab87ee2d843eed6ffb844ead6c03","sha256_after":"5b7ac01780202daa956a73f5bd55ca15d97a3ceade6b3ae71eea7dc02a38"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T22:41:25.140Z","size_after":24,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":83592,"tags":["tmp"],"sha1_after":"76ff4aedbba5354df22824e320ddb15599fcdb21","audit":{"process":{"name":"/etc/sample","id":86477,"ppid":33096},"effective_user":{"name":"ec2-user","id":89},"user":{"name":"Administrators","id":83},"group":{"name":"SYSTEM","id":6}},"md5_after":"52f47ca597bc3762d9c582a5bd71c829","sha256_after":"2de1eebc8716bd88373a6463b2631d9797b2407028db59ddfe6c8dac9f67"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T08:57:32.406Z","size_after":39,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":26267,"tags":["tmp"],"sha1_after":"279eb7ac9e4def98d88903ee0195591cd8c6e0b5","audit":{"process":{"name":"/home/user/sample","id":95134,"ppid":51849},"effective_user":{"name":"root","id":67},"user":{"name":"Administrators","id":70},"group":{"name":"root","id":59}},"md5_after":"f224b3c2016292202b46f3e403c31f01","sha256_after":"34da2e680b00eb585f98a993c377960f34823d79f4ba7d06e72d9a1b2c86"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T10:34:14.251Z","size_after":62,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":51688,"tags":["tmp"],"sha1_after":"cddea0495526998e1fd4385899e3ee7dba681a04","audit":{"process":{"name":"/etc/sample","id":3368,"ppid":43476},"effective_user":{"name":"suricata","id":19},"user":{"name":"SYSTEM","id":25},"group":{"name":"Administrators","id":51}},"md5_after":"10a3ff411cbcdd9fe6ef7464d7b0c506","sha256_after":"e14673d8d5b2d3f07cf1bea0d8d0226743182de30a0d904aa4ea7e398039"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T01:14:55.615Z","size_after":50,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":67794,"tags":["tmp"],"sha1_after":"432da30341bf10f8460677fe2c2078f163d46c80","audit":{"process":{"name":"/tmp/sample","id":98532,"ppid":28175},"effective_user":{"name":"ec2-user","id":14},"user":{"name":"SYSTEM","id":11},"group":{"name":"Administrators","id":11}},"md5_after":"761dfacf0f6eb06c76b1ea24c9e3118a","sha256_after":"cf8c6744e9a9c0b9589e9751ace7c11a09af6822605374e465761923bb75"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T14:34:10.274Z","size_after":64,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":57424,"mtime_before":"2023-03-07T14:33:10.274Z","inode_before":44098,"sha1_after":"ef23900268101a2763819ea94b7e8bceead7bf72","changed_attributes":["md5"],"md5_after":"a8a564a5ea383317886bd6fd92100836","sha256_after":"11c3e705ccea2002737ad08337e1b3f7f5a9088cc0689a4170f145d8e249"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T07:22:48.921Z","size_after":61,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":23848,"tags":["tmp"],"sha1_after":"8024c3fce43f75a8ce342ea739ba5d983974b0d3","audit":{"process":{"name":"/tmp/sample","id":4492,"ppid":32485},"effective_user":{"name":"root","id":69},"user":{"name":"LOCAL Service","id":40},"group":{"name":"NETWORK Service","id":7}},"md5_after":"95765ba343ee5a98fdd0d8a5ea915d8e","sha256_after":"9f5c05e79eba72f6ee96985b73efa90c45217bb2ed33d79158bb51d08f8a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T21:27:49.613Z","size_after":13,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":36414,"tags":["tmp"],"sha1_after":"378588611d9047af135a84beaf51803c1ad57a27","audit":{"process":{"name":"/etc/sample","id":86929,"ppid":23334},"effective_user":{"name":"NETWORK Service","id":26},"user":{"name":"SYSTEM","id":81},"group":{"name":"SYSTEM","id":7}},"md5_after":"9420135fa3bba0b3124170c731537b8c","sha256_after":"dc573125a09f184073fdce2de62c9d93457010803731a3fb6afc00fc8c50"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T21:31:08.884Z","size_after":40,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":57704,"mtime_before":"2023-03-02T21:30:08.884Z","inode_before":24679,"sha1_after":"4a5f075fa4a99ea526dc13121a8d66ee950b2fba","changed_attributes":["size"],"md5_after":"affb8dcccaad84999cff7d47ba185344","sha256_after":"3050820db20c4f4ecd449dd177986d09ddf3c9bfa867f27b142305dfa86a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T02:05:40.218Z","size_after":29,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":93939,"tags":["tmp"],"sha1_after":"f73c8efb6938c9c3d55c9d0c83612839e1a22bb0","audit":{"process":{"name":"/tmp/sample","id":40537,"ppid":17391},"effective_user":{"name":"Administrators","id":36},"user":{"name":"NETWORK Service","id":54},"group":{"name":"LOCAL Service","id":4}},"md5_after":"f6c6ceedcff1d82c980363b03e240a71","sha256_after":"fc6012aab2b313bdacd19051d412ed0291523e9ade3c0ece191c3f61b105"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T05:57:11.745Z","size_after":57,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":34581}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T22:46:03.651Z","size_after":27,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":59797}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T09:14:21.577Z","size_after":31,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":5862,"tags":["tmp"],"sha1_after":"e956b65afdf5e0897f2cf3bde8e84320c78a1079","audit":{"process":{"name":"/etc/sample","id":10678,"ppid":4291},"effective_user":{"name":"suricata","id":38},"user":{"name":"LOCAL Service","id":1},"group":{"name":"LOCAL Service","id":88}},"md5_after":"70bdcd9ccb9bdc60060cef411d794e1e","sha256_after":"5d9078d4ea609009043f75f9ba94dd1e6b8f50dbf9ce842df00c54f3da83"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F4","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T05:12:57.067Z","size_after":65,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":74602,"mtime_before":"2023-03-05T05:11:57.067Z","inode_before":25897,"sha1_after":"4bb03d0d506f0f7fa3a575aa03fed4bf70d9c615","changed_attributes":["size"],"md5_after":"8912426f2f797d42c6edf93c0727e613","sha256_after":"56d1ecbf4cf65a32619dfa6bce473a02f425f578013284e9d1fa890f210a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T15:27:55.724Z","size_after":49,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":15768,"mtime_before":"2023-03-04T15:26:55.724Z","inode_before":24595,"sha1_after":"54675785b4ea4a417e909623f824b1183ded186c","changed_attributes":["sha1"],"md5_after":"c3f2d52c01ea3505bf54bfc31e2353d9","sha256_after":"2b6221d008b17f56f3db73aec7f7608ce97b959dcc05b8d373efeb6a612c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T20:08:57.548Z","size_after":53,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":94456,"mtime_before":"2023-03-02T20:07:57.548Z","inode_before":77067,"sha1_after":"b0982a3a6f911f5abbd58dfdfbb8f57b3e9a37f1","changed_attributes":["mtime"],"md5_after":"3a5868f75ecb34ee24515e65d0a292ef","sha256_after":"6722bd9c0aa2067ee44c39505059866c14ffa0f30b65099fa0413ce38a6a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T11:01:48.603Z","size_after":23,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":27719,"mtime_before":"2023-03-02T11:00:48.603Z","inode_before":88835,"sha1_after":"e5ee8304abaddfb89cb7f804d85a1ef04ca88dbe","changed_attributes":["inode"],"md5_after":"e9e39b6fbb849129c8b665c0652050e4","sha256_after":"9dca2f7c194617c21db163e57f21760d59fda97f31c4ea8b9e9635c1e1bc"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-08T10:33:13.770Z","size_after":23,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":25504}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T14:54:27.382Z","size_after":45,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":81543,"mtime_before":"2023-03-07T14:53:27.382Z","inode_before":93841,"sha1_after":"02fe616893075f2f66357e8d7b0315269c3d393c","changed_attributes":["mtime"],"md5_after":"a156005a5783c1e4ac9fdd1aeac2ff75","sha256_after":"f493c7fa4237d8d65757d17ddc8737477d00f0423803c7562ce466b7c67a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T04:10:36.246Z","size_after":24,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":74554}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-856620481-996501011-1859314257-500","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T21:48:54.285Z","size_after":33,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":70246,"mtime_before":"2023-03-06T21:47:54.285Z","inode_before":3540,"sha1_after":"db82ad5538d253b4899d2b84e0b3e79bb535cf4c","changed_attributes":["inode"],"md5_after":"f50c8eb51ebb4601853e04e6c91aac33","sha256_after":"d2748870c57f4ac695dcb849d2fcbf46630334f5bbd256690e92ad155f1b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T03:56:50.904Z","size_after":19,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":88887,"mtime_before":"2023-03-02T03:55:50.904Z","inode_before":11757,"sha1_after":"c7065e84ad356d9f673847f2087a780884555944","changed_attributes":["inode"],"md5_after":"80b968ea945bf82b99fb95569abc1b0d","sha256_after":"ca53d5d7df14221decdd16079b9104aafc2c32f6110fed5fdb3085fb0ad0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T23:47:24.071Z","size_after":35,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":18496,"mtime_before":"2023-03-04T23:46:24.071Z","inode_before":81300,"sha1_after":"553d478dfb75136a332efb790ecbfbe4b4f598b9","changed_attributes":["inode"],"md5_after":"ee5d9a016ba5d1f8d563cc5aa359e8f8","sha256_after":"a89506d1d50aab6bf1b3585be6afc502081b3ff4547f7e9676058fd03656"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T18:09:37.456Z","size_after":4,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":34819}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T02:07:10.665Z","size_after":12,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":38474}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T06:18:54.166Z","size_after":23,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":54004,"mtime_before":"2023-03-06T06:17:54.166Z","inode_before":60323,"sha1_after":"08f60d6bde02202b0191ea9038ca801461ec0139","changed_attributes":["md5"],"md5_after":"2e7b866de250c9756bc04dfa80066845","sha256_after":"c336a9b95f4979e6599fd97cc5e44e7cd35b750290204fc070b33df1ed1c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T16:10:11.690Z","size_after":27,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":39382,"mtime_before":"2023-03-05T16:09:11.690Z","inode_before":83117,"sha1_after":"ba9edd7496b517539c784ee859a746a4ebb14665","changed_attributes":["sha1"],"md5_after":"3acb7c087ef65a3c752f68dbb4b8af6c","sha256_after":"45d6b080d0122fc0872ecb230a42e6a0470e25fe9e0103b6679f2d7e7099"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-08T01:01:27.172Z","size_after":31,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":5758,"mtime_before":"2023-03-08T01:00:27.172Z","inode_before":13551,"sha1_after":"820e9bb59ebef8831091d8ce02da4dada8b07062","changed_attributes":["sha1"],"md5_after":"da311f6ac4ad776339e314ad638caf32","sha256_after":"74b4c0040f5de21aa356b6bdaa754a1a6c303b506a151670a5c16ded8c21"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T16:20:32.532Z","size_after":36,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":34858,"tags":["tmp"],"sha1_after":"1a31501c52cb898f5f079958e42e48b4e9028297","audit":{"process":{"name":"/tmp/sample","id":53671,"ppid":51999},"effective_user":{"name":"suricata","id":10},"user":{"name":"suricata","id":83},"group":{"name":"suricata","id":39}},"md5_after":"113bc5eb59452e404bcdc97b71d7871d","sha256_after":"a3b35b01b99425ebfca557ad8f86772b621c5c9811af3777a407848963a3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T00:45:06.881Z","size_after":17,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":43629,"mtime_before":"2023-03-06T00:44:06.881Z","inode_before":88395,"sha1_after":"acaa25b232d65b954d8dbab3ad09383aed253dbe","changed_attributes":["size"],"md5_after":"f2b9290dd52b172de64eb12387376300","sha256_after":"0dd1a3db9488ccf84a49966cd85aebc4757c13ea07fd935c74c5a7db9eb4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T14:59:12.558Z","size_after":44,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":76753}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T01:00:45.452Z","size_after":58,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":89556,"mtime_before":"2023-03-06T00:59:45.452Z","inode_before":64691,"sha1_after":"66652e381649ccb4a1a6dcf734596ab0af8c3368","changed_attributes":["inode"],"md5_after":"0730605bd4b7c95eda3102908a3a188c","sha256_after":"b05576770ea8ae5fcebcbec285ece54766536e531b1652e704690d5bdc83"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T10:06:40.738Z","size_after":48,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":48701,"mtime_before":"2023-03-02T10:05:40.738Z","inode_before":67257,"sha1_after":"59337ffa9b84dde5fedb4d2468f0811fec0bec50","changed_attributes":["md5"],"md5_after":"8675291aa5c65a427ad4396bfb3c4c06","sha256_after":"4c72fdb8c32b972b8ecf474db4136efea16bcd2d29245817223ca4677930"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T19:32:51.981Z","size_after":60,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":2076,"mtime_before":"2023-03-03T19:31:51.981Z","inode_before":13817,"sha1_after":"0e35ae5547e1739f8d525b693e7199b974a8ac36","changed_attributes":["inode"],"md5_after":"f75a7c3a6a5a509e035f78451dad066a","sha256_after":"d44bb191d84704a349d6989a4b8413cd77a2e8e7f384657ebc4ddf9947d1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T00:21:27.527Z","size_after":5,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":42880,"mtime_before":"2023-03-03T00:20:27.527Z","inode_before":40769,"sha1_after":"4181d9da7a83f27ddb2acba1e8fa98967b06d126","changed_attributes":["mtime"],"md5_after":"ef06928ee801de43564b47bdfff238d6","sha256_after":"cc1896a8d27b24d1164ff7f22dedac2f5ce240951f49e11a1bb4a4d31bfa"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-08T04:43:32.722Z","size_after":14,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":50617,"mtime_before":"2023-03-08T04:42:32.722Z","inode_before":85899,"sha1_after":"59f0383427f70fa612b29dd3eb098f61ce629658","changed_attributes":["mtime"],"md5_after":"150a9a22d59076b854980a97742eb3fc","sha256_after":"1f4df13b4ce3e94f3c79376f5194b268a4a57d50d704740b11ec57cd594c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T11:25:27.962Z","size_after":54,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":67857}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T12:31:52.424Z","size_after":6,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":41964,"mtime_before":"2023-03-04T12:30:52.424Z","inode_before":73369,"sha1_after":"6a5811f328c7844ed0e8c597e6ba7ff54ebe937d","changed_attributes":["sha256"],"md5_after":"13e976fe58a23625c708e6b2ec385925","sha256_after":"b71ebdaadc06ec1635ce99da1b5f7ef76e4817117253b15ec799dd317337"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T18:58:17.084Z","size_after":31,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":79910,"tags":["tmp"],"sha1_after":"203ede2652cb50d2985d5ce903a897ba7b403e73","audit":{"process":{"name":"/etc/sample","id":26339,"ppid":20443},"effective_user":{"name":"LOCAL Service","id":2},"user":{"name":"root","id":100},"group":{"name":"NETWORK Service","id":42}},"md5_after":"75656bfd8e071043a86e037b36ddc786","sha256_after":"b610e1c79da5a3fa99550924c1f560310324d02f04035ba8b1082fa3f5a6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T08:46:35.717Z","size_after":15,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":72408,"mtime_before":"2023-03-04T08:45:35.717Z","inode_before":92426,"sha1_after":"4fb3722bc400c3bacc5012fb6c53bcf7dd1dc2de","changed_attributes":["tmp"],"md5_after":"97d13b792f7b8698abc2e15547877bb3","sha256_after":"abc2f35ad429e61da786c177f0a6ef77b888482f282cee2f08f92cb64ad0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T00:46:26.928Z","size_after":33,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":65100,"tags":["tmp"],"sha1_after":"35c12842fc6ecdaac2edcedf634be119d5f72366","audit":{"process":{"name":"/home/user/sample","id":31847,"ppid":27953},"effective_user":{"name":"wazuh","id":100},"user":{"name":"wazuh","id":82},"group":{"name":"wazuh","id":86}},"md5_after":"2f9ddb07cee1abbdade625b1e69693f9","sha256_after":"2dd815521d4a73788f95eafb30415344252bbd4c11c375cd3a6c91a36dba"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T03:34:50.013Z","size_after":60,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":67137,"mtime_before":"2023-03-02T03:33:50.013Z","inode_before":16100,"sha1_after":"673ba30be0563fafb42f91cb2665628b6074c77e","changed_attributes":["sha256"],"md5_after":"22883e212f7de39164d96de729abf484","sha256_after":"b951e407a24050062f3b0c5508bdd708ecaead39289a13298d667f974253"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-01T14:26:35.733Z","size_after":16,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":95859,"tags":["tmp"],"sha1_after":"2c3ebdae287fe8550406c50434516a3e3b3a6ee4","audit":{"process":{"name":"/home/user/sample","id":8604,"ppid":14435},"effective_user":{"name":"LOCAL Service","id":71},"user":{"name":"ec2-user","id":62},"group":{"name":"suricata","id":83}},"md5_after":"c70932e9558652bc830c55bbe2ef9b50","sha256_after":"eac09747308adcc54a60e8a3b94898eb824c98bc1ff37b72d0036e62adfd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T12:26:47.558Z","size_after":31,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":4744,"mtime_before":"2023-03-02T12:25:47.558Z","inode_before":42646,"sha1_after":"b18535a4647034e2f5b64f3d52a0dd59c9b28baa","changed_attributes":["sha1"],"md5_after":"bb444827662fe8f76171a3b37d9547cd","sha256_after":"bbf15efa849092fa0294d349501fed9b5f17d1fa39776c2dcfa7b7da55a4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T01:11:26.905Z","size_after":51,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":22323,"mtime_before":"2023-03-08T01:10:26.905Z","inode_before":5497,"sha1_after":"de2e854002f5de2c3f50f938f4a8a0812c4b7007","changed_attributes":["mtime"],"md5_after":"c45a43fe9a76ed25dd79c60b973be90f","sha256_after":"0cae99f70ff1658f031394ae2ca161f972d1092d2cf52f3420fa0ea096c7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-01T17:33:12.290Z","size_after":34,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":5201,"tags":["tmp"],"sha1_after":"764019235ef4b2726397c21dc92719766128c9be","audit":{"process":{"name":"/etc/sample","id":60275,"ppid":33219},"effective_user":{"name":"wazuh","id":73},"user":{"name":"suricata","id":17},"group":{"name":"NETWORK Service","id":22}},"md5_after":"6ed014bf343a9dc4402f9a87e75d0edd","sha256_after":"b4576e60d2c14826ecf8f1b878dce0e8a9d8d11fbc7bb6fb736343e88549"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T14:51:46.911Z","size_after":2,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":4063,"mtime_before":"2023-03-01T14:50:46.911Z","inode_before":79245,"sha1_after":"238d1f106e3214442bee1b8db69284238d9d8a29","changed_attributes":["md5"],"md5_after":"28d037b80d4fa0980fe3752f12021b96","sha256_after":"af7ec1f701d13656f8e6718eaa5460a79eb581bb1e902cc8e29464bd78a4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T05:01:39.437Z","size_after":14,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":91463,"mtime_before":"2023-03-07T05:00:39.437Z","inode_before":85658,"sha1_after":"70573f73dfdce5d94cc7d721ee151347ca594570","changed_attributes":["sha256"],"md5_after":"ad77d8dd64d0810b88d952ef04c64cc1","sha256_after":"ffe478824825816007473d7e0dd06dceea10c0b9bc44b079409b52ea9d24"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T06:21:42.923Z","size_after":46,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":76699}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T07:33:48.332Z","size_after":55,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":11845}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T03:40:18.845Z","size_after":27,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":62125,"mtime_before":"2023-03-03T03:39:18.845Z","inode_before":76759,"sha1_after":"4116ee36404507e3fc0fec47134193c4bbbe4f08","changed_attributes":["inode"],"md5_after":"8fd2fe91373a3b3d5fa42e38f68b42d7","sha256_after":"e670a9146862ab05feeaf28c45bd4c39af38047858bab56164ee5271c62e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T11:55:09.227Z","size_after":63,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":24243,"mtime_before":"2023-03-07T11:54:09.227Z","inode_before":95914,"sha1_after":"006c7263b7040211aeba008130dfce5f661c2490","changed_attributes":["inode"],"md5_after":"3f9e51329923ce970d68356fb78d2fb9","sha256_after":"d9db98cce517ca9524b840a41022ce6ec42535899b39c42d3e24438ccda0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T09:19:39.061Z","size_after":4,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":448}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T02:19:37.920Z","size_after":32,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":54679,"tags":["tmp"],"sha1_after":"1c31818658daebbd88505afd82d07c1885a6b776","audit":{"process":{"name":"/home/user/sample","id":40149,"ppid":70957},"effective_user":{"name":"SYSTEM","id":3},"user":{"name":"SYSTEM","id":61},"group":{"name":"Administrators","id":66}},"md5_after":"97d8f88d7a33b779f76aadf0901e1d01","sha256_after":"87c2b44576d8b14270cb3a154ddb32876a5d50b436e3333a0b0c484f550f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T09:57:48.380Z","size_after":13,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":84735,"mtime_before":"2023-03-05T09:56:48.380Z","inode_before":95006,"sha1_after":"e542292e4f438b2f3e27826397720087eeb4d9fd","changed_attributes":["inode"],"md5_after":"628a949c7be89df21eb92104076cfca9","sha256_after":"b36489a66fdcd63ec1d1083dd68e4b23130c7e69a32457b9bb695f9b11a5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T15:40:41.464Z","size_after":12,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":65857}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-08T11:40:49.862Z","size_after":54,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":2567,"mtime_before":"2023-03-08T11:39:49.862Z","inode_before":2879,"sha1_after":"6267ab0b698371f0fc94466a7da24ef89d41f422","changed_attributes":["size"],"md5_after":"66ed3e4ee2bd81aa1728fb5bd339020b","sha256_after":"4744f9b05b8ed7af888f196e5170e9b32fe18e5bcac36669814c47c75672"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T20:35:11.127Z","size_after":14,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":75549,"tags":["tmp"],"sha1_after":"0a1b9b61a4eeb2dfd6cc1b493d0b851f8206f123","audit":{"process":{"name":"/home/user/sample","id":32400,"ppid":93785},"effective_user":{"name":"LOCAL Service","id":60},"user":{"name":"root","id":88},"group":{"name":"suricata","id":19}},"md5_after":"24958c0994ea9b59a3b07a8ad270f40a","sha256_after":"65e6006ec693667ad0a143fea786a518cd5652c553d874df7758bb19b749"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T10:26:58.889Z","size_after":27,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":26703,"tags":["tmp"],"sha1_after":"3c61ff0c5ea6f5f9408f3c25cd6b8684ee04e124","audit":{"process":{"name":"/etc/sample","id":47228,"ppid":80022},"effective_user":{"name":"root","id":64},"user":{"name":"SYSTEM","id":5},"group":{"name":"Administrators","id":62}},"md5_after":"4761d8782da75b7cae9b8406663cace8","sha256_after":"601d0e46536b1844a0e493b0a92926ac24bf9c89b286b68de7f9e411037f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T17:43:44.272Z","size_after":11,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":29389}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T10:45:55.272Z","size_after":4,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":54552,"tags":["tmp"],"sha1_after":"0432ff58635696ab261f038bdeb41ead4697aab8","audit":{"process":{"name":"/tmp/sample","id":67400,"ppid":80428},"effective_user":{"name":"suricata","id":10},"user":{"name":"ec2-user","id":44},"group":{"name":"root","id":47}},"md5_after":"a0470298bcce6f4a8734110de705f2cc","sha256_after":"0aefb1c60709f42b22d96f1a50101a09b28f662eb2f48ade74ee39a41ac7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T22:44:01.626Z","size_after":16,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":12749,"mtime_before":"2023-03-06T22:43:01.626Z","inode_before":95155,"sha1_after":"e8a8384e4a9dfc7224f86773f04ce03fa2ab63fb","changed_attributes":["inode"],"md5_after":"9338014d0e5a9c96d2622c49ae76b7f3","sha256_after":"5d4f96939a183341e581793fd5a245e7ad08c7e9cafd1dc39dbd4bcbe685"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T16:35:47.097Z","size_after":0,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":41826,"mtime_before":"2023-03-06T16:34:47.097Z","inode_before":85027,"sha1_after":"142c33c6ccc12fe861a267bc634a1362501a7624","changed_attributes":["inode"],"md5_after":"c77f6b07df11371a9e6613a10e5b628d","sha256_after":"06428c41e7ed0f703e062aa3a1ec1aed7b07dc6147ae86f897e6520295bd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T02:22:15.386Z","size_after":49,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":54929,"mtime_before":"2023-03-07T02:21:15.386Z","inode_before":81736,"sha1_after":"9e5c19a4ec1e35405843612c5f8b370fd327274d","changed_attributes":["tmp"],"md5_after":"f1f72e252437651173ea409a31bd5026","sha256_after":"f7a33e716d0f954643a522a8f81c5f6aa85c2b4979a3bf5736663848bfb2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T07:07:27.441Z","size_after":62,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":60809}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T20:09:49.931Z","size_after":58,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":62496,"mtime_before":"2023-03-04T20:08:49.931Z","inode_before":47120,"sha1_after":"a3b059641cdf4ee97404ec0251e0a5faa585fe77","changed_attributes":["inode"],"md5_after":"3ebf6d4677e29df748b64bfb4f83aef6","sha256_after":"8ff014d9ecdc7c6e9577a419e831ababb5fe75fdce4aa4b2f53a2911f650"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T13:31:21.545Z","size_after":8,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":28418,"mtime_before":"2023-03-06T13:30:21.545Z","inode_before":12242,"sha1_after":"520fbe28584da880a6bfff4ae6532367b03ebee2","changed_attributes":["md5"],"md5_after":"9a622e3d91327c7d189dc09d689e6c36","sha256_after":"a1ebdf3588272d20a93725c9c871c287329867b06621cc4aca017288e8e8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T18:00:02.417Z","size_after":50,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":80563,"mtime_before":"2023-03-02T17:59:02.417Z","inode_before":39091,"sha1_after":"2a79837cb6c8253c8e171a18ca3602daf4192eba","changed_attributes":["sha256"],"md5_after":"43320cf3f8fa137a750443f027017421","sha256_after":"b0e8956719da86ada1c3728df4881e987ee0cb60ac3cd5e1ca9f0a1674d5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T12:04:46.013Z","size_after":57,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":22399,"mtime_before":"2023-03-03T12:03:46.013Z","inode_before":11603,"sha1_after":"84e258526a15131dd9fbc04b5fd88c8a566b88da","changed_attributes":["sha1"],"md5_after":"209f1a23091e3c3b34732d7fd0bf1de3","sha256_after":"a6f9350188dce98be8bb33797cf095b7d3f7a7f983fb45af3a4e6476ab37"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T10:14:16.186Z","size_after":33,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":60240}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T21:16:27.730Z","size_after":25,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":99013,"tags":["tmp"],"sha1_after":"ce6ed4d2f933285627b04b90f9d7d35428f5d7ac","audit":{"process":{"name":"/etc/sample","id":23542,"ppid":40137},"effective_user":{"name":"root","id":75},"user":{"name":"suricata","id":48},"group":{"name":"LOCAL Service","id":67}},"md5_after":"8e234734a97a78a64a6a7612aa3f7860","sha256_after":"245726defec7333358e692e53164b1e5c7bec68a6c2ad1c0485089c92194"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T14:09:56.556Z","size_after":23,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":35957,"tags":["tmp"],"sha1_after":"5930ce213f8da957e2817f8c1713c4f3e08efb7b","audit":{"process":{"name":"/home/user/sample","id":84603,"ppid":53785},"effective_user":{"name":"ec2-user","id":4},"user":{"name":"LOCAL Service","id":26},"group":{"name":"ec2-user","id":58}},"md5_after":"44b3a1b475464ab017ae164e14d2405d","sha256_after":"12978ff0c9ec66a239f793a13d02127cc25aae404661af9cfd9c9320b31b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T12:43:05.435Z","size_after":45,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":12573,"mtime_before":"2023-03-01T12:42:05.435Z","inode_before":66082,"sha1_after":"4afb7e6888c368deb28b23772183a388855a2ce5","changed_attributes":["size"],"md5_after":"5f813dd7d6cb40d65c1bece70d900ffa","sha256_after":"bdd59ebebfa02ce9ebf60c655426f8be3afaa98aaa23c2eb0fd902acb16c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T19:38:11.676Z","size_after":18,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":55510,"mtime_before":"2023-03-03T19:37:11.676Z","inode_before":16262,"sha1_after":"b40b9207e8ada2a693a90cd4feb9b8dd9dd6673b","changed_attributes":["size"],"md5_after":"06c93ef66324844ad36cf36eb9111795","sha256_after":"7df150659252c765ccde3f9b006bcc2435d73b8cfec4f7e626556e2140e9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T08:49:29.942Z","size_after":12,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":92989}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T23:49:50.966Z","size_after":8,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":49458,"mtime_before":"2023-03-04T23:48:50.966Z","inode_before":58205,"sha1_after":"4694d0a640c2d136fcb3def95e89e3eb28077a75","changed_attributes":["inode"],"md5_after":"492d842a7ceb798cf958a62b14561f99","sha256_after":"0b8692a59c28d08c77d58ea9751c69be9430ee69492a9675aef2bcca9c41"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T20:05:27.042Z","size_after":49,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":1141}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T19:57:27.578Z","size_after":59,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":91080,"tags":["tmp"],"sha1_after":"5959d454b90adc9e46d598806e765b3e73fcd22c","audit":{"process":{"name":"/home/user/sample","id":11078,"ppid":21574},"effective_user":{"name":"SYSTEM","id":7},"user":{"name":"ec2-user","id":60},"group":{"name":"SYSTEM","id":80}},"md5_after":"6bec34e8d1858cca26228b4e4edaab52","sha256_after":"91f0c0150830f2a5a8f25960ea1dfe2293789a6b9d940109d18693ff1270"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T12:16:47.701Z","size_after":9,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":94082}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T14:47:26.600Z","size_after":10,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":13708,"mtime_before":"2023-03-01T14:46:26.600Z","inode_before":27636,"sha1_after":"4d9200ec6172e609c0dd12594f431c9c13ee9dfc","changed_attributes":["tmp"],"md5_after":"83ea6523a4e9357f8fe47f733aa465b2","sha256_after":"581f26f04165900a6ecc2cef7cd61676a17ace439d6616ce0ec35630ef38"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T01:03:12.036Z","size_after":11,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":79170,"tags":["tmp"],"sha1_after":"1e67bd792c4d6c1bcc9669853ff1797c517ea0fc","audit":{"process":{"name":"/etc/sample","id":92038,"ppid":76250},"effective_user":{"name":"Administrators","id":1},"user":{"name":"wazuh","id":89},"group":{"name":"SYSTEM","id":27}},"md5_after":"c92ae5236c28ea87666d5fd7f52f20fa","sha256_after":"34d9f8484b33973bf8a5b2053871bacb32fa4608a377a8e6b6a6736f5889"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T05:45:21.702Z","size_after":53,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":25937,"mtime_before":"2023-03-06T05:44:21.702Z","inode_before":15365,"sha1_after":"e1b15a9b8ca3c9040523b86e3c7be7e7a6bb1f29","changed_attributes":["tmp"],"md5_after":"717d80c6fe737b733bd6cc0265b6157f","sha256_after":"165c367a0f16d8cf463c6c160520536b0572d45de859f9e40e74982aa1f5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"root","gname_after":"root","mtime_after":"2023-03-08T09:53:07.522Z","size_after":38,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":61531,"tags":["tmp"],"sha1_after":"49cfbaa8daf31287f6577f33bfcadd02e8da2fa9","audit":{"process":{"name":"/home/user/sample","id":20926,"ppid":1667},"effective_user":{"name":"Administrators","id":14},"user":{"name":"suricata","id":30},"group":{"name":"LOCAL Service","id":67}},"md5_after":"c1832b415f16c268ff6e227a13c6838f","sha256_after":"d84cefda5e7437108b0fb67e08c9e3f26eb5532ea7a30fc4a980f9aa72e2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T04:29:45.672Z","size_after":3,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":45282}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T06:12:43.506Z","size_after":62,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":26824,"tags":["tmp"],"sha1_after":"6c0541f67c4f04aa71511425875cbae85d22ad17","audit":{"process":{"name":"/etc/sample","id":57091,"ppid":17545},"effective_user":{"name":"Administrators","id":12},"user":{"name":"root","id":56},"group":{"name":"suricata","id":55}},"md5_after":"e863ec6b21f857b09e33a248e2991ca8","sha256_after":"49c30000eba637c12e345a2f9a68cc118e20b9fd7eea4c0051b0c8701603"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T06:48:10.440Z","size_after":52,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":87921,"mtime_before":"2023-03-06T06:47:10.440Z","inode_before":80534,"sha1_after":"6b477b7598043bbf98d6197d8f6543aa87cda688","changed_attributes":["sha1"],"md5_after":"ecac3243c8c30ecd5fc8fdc3796dcfe4","sha256_after":"106764039f3c0a461d39d8d0af16418a3ec02b15fa20fca1422fcc03490d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T04:08:27.605Z","size_after":15,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":30375,"mtime_before":"2023-03-04T04:07:27.605Z","inode_before":67084,"sha1_after":"2b96d90d2e0adfa8ca7e0a84b4ad253ab433c86d","changed_attributes":["md5"],"md5_after":"b3bf8fb64c014827009e756acb3ef942","sha256_after":"95f39d9a9e9843bece849377acb2750ee02e3f934a3b5df050ecd4d29140"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T18:16:37.994Z","size_after":14,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":3984,"mtime_before":"2023-03-06T18:15:37.994Z","inode_before":689,"sha1_after":"8fc69bc63510f637811e6b6b0316f7755b9d67e0","changed_attributes":["sha1"],"md5_after":"4374072dec30ebc389060b97eda80b8a","sha256_after":"613c97def0638ac45c278dd8eb5628b80764adbcbf0b733bd159bfd6deea"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T06:40:53.917Z","size_after":48,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":32543,"tags":["tmp"],"sha1_after":"9ad76632ae48994683c13e6dc901e189f1c04b11","audit":{"process":{"name":"/etc/sample","id":12006,"ppid":55577},"effective_user":{"name":"SYSTEM","id":48},"user":{"name":"suricata","id":70},"group":{"name":"NETWORK Service","id":62}},"md5_after":"3f74af817de3f74ef20a88fad2df2521","sha256_after":"1687e89568f8f9bd06c320da9062b2ad3f756079a593fe796cabb5c3f495"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T18:42:38.486Z","size_after":65,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":46058,"tags":["tmp"],"sha1_after":"530eee480e5faed684046ac8f0e1c12e33b895a7","audit":{"process":{"name":"/etc/sample","id":88853,"ppid":36035},"effective_user":{"name":"LOCAL Service","id":46},"user":{"name":"Administrators","id":84},"group":{"name":"LOCAL Service","id":15}},"md5_after":"2f87817598d0dc6f93a8f4942a588006","sha256_after":"00e6d3773e2e1874e9fab5ffea887b5435371fac7e672ae57a0365f7b29b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T03:49:21.760Z","size_after":36,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":88706,"mtime_before":"2023-03-07T03:48:21.760Z","inode_before":76455,"sha1_after":"5ece419b37ed8210c8c0c65f1754d3a2a2fd343d","changed_attributes":["inode"],"md5_after":"5b1b1237e9468cde5b86b8a1443a95e4","sha256_after":"87ef7250af521bc8353499e01352ce4155f125598d7163c26a3192b4e059"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T03:07:35.539Z","size_after":7,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":29233}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T23:16:27.936Z","size_after":10,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":49823,"mtime_before":"2023-03-03T23:15:27.936Z","inode_before":32834,"sha1_after":"fd00a629360eef70245070716a5409e3e6546581","changed_attributes":["mtime"],"md5_after":"94936ebb5e8f4ab2ce6588742693ff77","sha256_after":"8e6609088073355956fca98e6d48f1dbe2a34fb7fb9bc418afb5ec49b5c6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T12:15:23.877Z","size_after":28,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":92597,"mtime_before":"2023-03-01T12:14:23.877Z","inode_before":94105,"sha1_after":"1fd0d477c1ce82082b673cb8c3c441b4bcbd780b","changed_attributes":["tmp"],"md5_after":"33be2557bb2cd1ebd22f362501d67917","sha256_after":"0cc902c89745d621f21bf5c4768ab2af66bf730365d3cf89725fcb5b812c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T15:09:28.362Z","size_after":60,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":70379}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T00:10:20.862Z","size_after":16,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":38010,"mtime_before":"2023-03-03T00:09:20.862Z","inode_before":94702,"sha1_after":"fc369ff7752544378916b1376160ac52e3af8869","changed_attributes":["mtime"],"md5_after":"0b5ff635d08d117f7f3e31aa1dcd1cef","sha256_after":"b769a3488e7aaf1e05c0582f279ba34809e05cea8f1221738aa37ed39d41"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T19:56:47.793Z","size_after":28,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":89282,"tags":["tmp"],"sha1_after":"a46ced2f23e22df5bc0c1e759f59c8257aa7a71f","audit":{"process":{"name":"/tmp/sample","id":81808,"ppid":41949},"effective_user":{"name":"ec2-user","id":9},"user":{"name":"LOCAL Service","id":70},"group":{"name":"SYSTEM","id":22}},"md5_after":"96dab5ef1d08218ee033e70ed968969b","sha256_after":"851d3f5d5fdb032f086f9a83f3dcbb3cdebd31d431122c04ebc7a1e67ef3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T22:18:08.394Z","size_after":62,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":93855}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T19:24:26.001Z","size_after":6,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":59695,"tags":["tmp"],"sha1_after":"89a8b216693a16534e7dc6339c3457a30f0808f5","audit":{"process":{"name":"/tmp/sample","id":90688,"ppid":57240},"effective_user":{"name":"root","id":4},"user":{"name":"root","id":44},"group":{"name":"wazuh","id":1}},"md5_after":"a56a9ba6568a3773311a5a635871e991","sha256_after":"e08cd7af31a6645b7429e2bbe4c0f0b7be8676c3e3dee7a1520a9921bf84"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T05:32:42.108Z","size_after":5,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":62863,"tags":["tmp"],"sha1_after":"1489e88f2a987ce1f69f5e9ec15b17e33881acc8","audit":{"process":{"name":"/tmp/sample","id":85876,"ppid":93684},"effective_user":{"name":"root","id":36},"user":{"name":"NETWORK Service","id":70},"group":{"name":"LOCAL Service","id":8}},"md5_after":"b73bda822c9ab157d70148d6aa607fee","sha256_after":"8ca4d295b7d7cc3efe10322358fe83115ad9dd7de2133f54dd9542255ed7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T22:46:29.918Z","size_after":43,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":70986}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T17:09:58.701Z","size_after":5,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":57845,"tags":["tmp"],"sha1_after":"56cb7cf6ac3c45c16e093e5018a0b6e9a514fe7d","audit":{"process":{"name":"/home/user/sample","id":61467,"ppid":16062},"effective_user":{"name":"root","id":24},"user":{"name":"wazuh","id":8},"group":{"name":"suricata","id":0}},"md5_after":"23688c366ee529888592036807c7f464","sha256_after":"f73a0eb97bbe5686ad3557ef3dcf64635769d97a577850535970d4146b86"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T11:39:18.116Z","size_after":55,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":23560,"tags":["tmp"],"sha1_after":"6124d863d46e410d0727fbe535053267c2a957ec","audit":{"process":{"name":"/tmp/sample","id":48467,"ppid":20552},"effective_user":{"name":"wazuh","id":6},"user":{"name":"Administrators","id":89},"group":{"name":"root","id":12}},"md5_after":"77c4c3a2f45d9dc6ba7e0e04be7ef3fe","sha256_after":"939837a046c9caeb5a28374df9e663cb8daf62140e927371ea48ac5f383b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T16:37:31.319Z","size_after":29,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":40727,"tags":["tmp"],"sha1_after":"f53bc3a88c6a666d00dd43abe0cbe73357b70001","audit":{"process":{"name":"/tmp/sample","id":45698,"ppid":56023},"effective_user":{"name":"Administrators","id":48},"user":{"name":"Administrators","id":95},"group":{"name":"root","id":86}},"md5_after":"79b56001efa0f06e512db3a84799d811","sha256_after":"ac24b0b77d99e593701d1e825c274f9447af9203e19a4e92d94986e28f3b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T13:45:10.913Z","size_after":21,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":44226,"tags":["tmp"],"sha1_after":"8c8be35f5d231bbbad4a525c0b7ba53bc5ed44cb","audit":{"process":{"name":"/home/user/sample","id":80532,"ppid":36703},"effective_user":{"name":"root","id":33},"user":{"name":"SYSTEM","id":97},"group":{"name":"Administrators","id":92}},"md5_after":"5411ee1aac686dd6b6427ac5758f4666","sha256_after":"0a1223f56c05c52fed745ba6292711b1122a3731f175f576988eaf63e360"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T23:28:48.241Z","size_after":37,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":58868,"mtime_before":"2023-03-05T23:27:48.241Z","inode_before":84380,"sha1_after":"57980e3fd15d1360cfa7fdbbbc991774f962c27d","changed_attributes":["sha1"],"md5_after":"fc1fa8b58f955ffdb2e7c14fb1f768db","sha256_after":"753e11da5f3b6adb023773d517eb77b1a110f360a3d42561f96ad895bb8e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T10:41:24.421Z","size_after":28,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":98123}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T15:53:34.002Z","size_after":41,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":77274,"tags":["tmp"],"sha1_after":"2da659d897f68efc2c9cf483baf11ae6016f4a66","audit":{"process":{"name":"/tmp/sample","id":88248,"ppid":46460},"effective_user":{"name":"LOCAL Service","id":43},"user":{"name":"ec2-user","id":80},"group":{"name":"SYSTEM","id":46}},"md5_after":"af56012d1efe76a479e71ede7c00e8be","sha256_after":"265465ed00bb5d053a1c61958c89647cf51e3426a41da868f451dd3ade77"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T07:18:38.073Z","size_after":58,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":61119,"mtime_before":"2023-03-05T07:17:38.073Z","inode_before":50355,"sha1_after":"20bcba555ca9b912f2447cd44e1167713e3dff44","changed_attributes":["sha1"],"md5_after":"4fafc130e217a99749c3dc31ef3e2274","sha256_after":"faa6c56730ca7cd2d4755e19f37c0fa5712b029c77fc3b26db6bfc491735"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T18:47:49.268Z","size_after":25,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":57579,"mtime_before":"2023-03-04T18:46:49.268Z","inode_before":35233,"sha1_after":"e84e117d20a5cb70d17baa1b2e3b4f0de0da77ea","changed_attributes":["size"],"md5_after":"dbd4652bb81ba11c380f8fd9b06704da","sha256_after":"39609ae76c958acb02b6db5560e390765dff802842ef5c0c3c815297994e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T21:33:37.556Z","size_after":60,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":19099}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T01:42:27.084Z","size_after":34,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":1304,"tags":["tmp"],"sha1_after":"5f80a7b185caa5263f6b7c0e4768809d0c4ac57e","audit":{"process":{"name":"/etc/sample","id":62473,"ppid":30894},"effective_user":{"name":"ec2-user","id":100},"user":{"name":"root","id":49},"group":{"name":"NETWORK Service","id":66}},"md5_after":"6730170048ef73a563f28001346f68ae","sha256_after":"c0c423a5abc51056a7d7e62c02ebfc800697ec56b6a6f80282a9a3237328"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T22:03:24.057Z","size_after":11,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":46389,"mtime_before":"2023-03-03T22:02:24.057Z","inode_before":69445,"sha1_after":"e16176314b59c229f87d9a4d476405123da81f0d","changed_attributes":["size"],"md5_after":"81255beeb50d268af5d0bee2b47933a5","sha256_after":"2c91060ee54fe7336c1766a02421c4dd8f0bf50fc89b4dcaea3cbc7e64bb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T15:05:38.301Z","size_after":61,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":39622,"tags":["tmp"],"sha1_after":"bb395f48154a586aa0b656c53328997d69490090","audit":{"process":{"name":"/home/user/sample","id":67787,"ppid":18088},"effective_user":{"name":"wazuh","id":34},"user":{"name":"NETWORK Service","id":16},"group":{"name":"LOCAL Service","id":15}},"md5_after":"6c8ab2b9dcc81d87837fd519d69903a8","sha256_after":"28b77437cefacf9c9828b52a1104dd4fd0702cab1174e4a160cfeb58e046"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T00:41:15.446Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":46190}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T10:49:09.559Z","size_after":52,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":49396,"tags":["tmp"],"sha1_after":"621ba4f6548a37515d376e6ce58671b19076a2a0","audit":{"process":{"name":"/home/user/sample","id":41584,"ppid":53506},"effective_user":{"name":"SYSTEM","id":11},"user":{"name":"suricata","id":50},"group":{"name":"Administrators","id":13}},"md5_after":"cfb26ffb117faa078275ac24a01c6b9a","sha256_after":"65ad72d6c28a7fc0572c4af3bf754a9d11b5555d82c20b18600145fb8204"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T23:28:04.475Z","size_after":20,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":54598,"mtime_before":"2023-03-07T23:27:04.475Z","inode_before":41265,"sha1_after":"9c14bb3e771bf992020f96b3be0b68da27dcf54b","changed_attributes":["size"],"md5_after":"3008d2bc275e95583261f5c97bbf73b6","sha256_after":"e19926e8d3d8bf5dced992cc30753d5a3ce11b08c0602f5c788494a2e3bd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T12:05:14.228Z","size_after":43,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":2951,"tags":["tmp"],"sha1_after":"6b9d85dc905dd1d19f77657e575c74839e392380","audit":{"process":{"name":"/etc/sample","id":89537,"ppid":5852},"effective_user":{"name":"suricata","id":18},"user":{"name":"root","id":1},"group":{"name":"suricata","id":71}},"md5_after":"6c6a70f61b5895948007bfafb575ae59","sha256_after":"e836dc9651ad1da90bda73fa782ece309cbfa39cc3896c82b38c7e3f3550"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T21:42:36.424Z","size_after":30,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":67191}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T23:14:39.796Z","size_after":0,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":2784,"mtime_before":"2023-03-05T23:13:39.796Z","inode_before":24746,"sha1_after":"fbd903dbddabc8a2ac5ee4df320871a644d1f886","changed_attributes":["sha256"],"md5_after":"a3b4550a38b01538606123fb6f35bebd","sha256_after":"9c78295879ad77abc3cfc7d306080a3d2a9c4474f804699f1555caa428e4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T03:18:11.585Z","size_after":50,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":75302}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T15:31:28.004Z","size_after":28,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":88461,"tags":["tmp"],"sha1_after":"6ea5c8524016b5d8f5b2a0e1599b95965e41bdcf","audit":{"process":{"name":"/etc/sample","id":93480,"ppid":89944},"effective_user":{"name":"NETWORK Service","id":13},"user":{"name":"ec2-user","id":17},"group":{"name":"SYSTEM","id":81}},"md5_after":"651c94d052a8c15d5d0c34fa65fd4af8","sha256_after":"6d129e8d264c2e9ef70282039a52edbde16fdde51906da4f761436eb5876"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T19:56:22.169Z","size_after":36,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":85455}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T06:26:55.291Z","size_after":0,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":18551,"mtime_before":"2023-03-04T06:25:55.291Z","inode_before":7750,"sha1_after":"e5068393c9487264b3e501b186081a7cff44b714","changed_attributes":["mtime"],"md5_after":"e8e00e4284ec7f3c51c6844abe0ab8fd","sha256_after":"848b29dd4d9483163a5542d77c28412ee9fb1c26ef49e6ca5faad372b5f0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T22:18:04.349Z","size_after":14,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":44164,"mtime_before":"2023-03-07T22:17:04.349Z","inode_before":1922,"sha1_after":"a1871bcaa6442c80c4e833b780ff07a76bc9cbcd","changed_attributes":["sha1"],"md5_after":"945332c84a4c62a92c10460fbc647363","sha256_after":"27ee5d97551119c727140a17fab4c150baaf40dd7cf2fee68f529fb2b1f1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T11:40:18.532Z","size_after":38,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":84529,"mtime_before":"2023-03-04T11:39:18.532Z","inode_before":40900,"sha1_after":"c1809adf3353a5620600e7afc21f51f43ecb5d86","changed_attributes":["tmp"],"md5_after":"b2dff7baf0ec6725c8b76aea8af83de8","sha256_after":"9a0f752746b9e3bb073289bd11d91431b96ccd9044b105bfa204f285ff11"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T09:30:49.280Z","size_after":33,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":8398,"mtime_before":"2023-03-07T09:29:49.280Z","inode_before":86825,"sha1_after":"f2ba995de64b993fd03d768627d1a53e18f53341","changed_attributes":["sha256"],"md5_after":"0cdfa1da91af771e16f43635dba5a1c0","sha256_after":"6c440ac7d5ae938fa6abd8d89e5096aefc80f8d6080a34c2e774f7ff866e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T13:39:07.331Z","size_after":30,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":97439}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T22:36:40.680Z","size_after":39,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":86343,"tags":["tmp"],"sha1_after":"f960495f37ca65edbbff91c9861184af593b8bd1","audit":{"process":{"name":"/home/user/sample","id":60637,"ppid":33622},"effective_user":{"name":"wazuh","id":71},"user":{"name":"root","id":30},"group":{"name":"suricata","id":58}},"md5_after":"ec65888547d9f6a1f067d157752926b0","sha256_after":"225d46de4089ab6831650c0b11bd8188252e0336a85f57c3ad7ba1078047"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T23:22:16.683Z","size_after":62,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":19140}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-08T11:55:46.915Z","size_after":48,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":38948,"mtime_before":"2023-03-08T11:54:46.915Z","inode_before":25153,"sha1_after":"caa81194f9700cc709366dbed09e4b294f7ee11b","changed_attributes":["size"],"md5_after":"edf6b84446ff6b31e98ff1e18caf168c","sha256_after":"d02f1a6e5fdd1737aa441fe9ac9706c8797eb866b364c69e51d0ea4b9311"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T01:51:29.149Z","size_after":47,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":8947,"tags":["tmp"],"sha1_after":"af62c33d8d22dc20b73242614c5fd1b865a51118","audit":{"process":{"name":"/etc/sample","id":58178,"ppid":66270},"effective_user":{"name":"wazuh","id":95},"user":{"name":"NETWORK Service","id":61},"group":{"name":"LOCAL Service","id":35}},"md5_after":"1fd475dc51d3e6860e445cb9d05c49bf","sha256_after":"0a6096d008ff3e46708378f199f547818839fc989bd9fd95df49ff3084fa"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T17:01:14.535Z","size_after":32,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":2998,"mtime_before":"2023-03-02T17:00:14.535Z","inode_before":40014,"sha1_after":"904c5dc348fd35f132ecc186db0e7a7f9eb0fb4c","changed_attributes":["tmp"],"md5_after":"d28233eec3ca85f01314facfd77ac494","sha256_after":"d52d25285d5d0d8bed0b50ad773a7ceb558c28319d6f6c0adaee28597a70"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T17:24:16.285Z","size_after":16,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":60158,"mtime_before":"2023-03-04T17:23:16.285Z","inode_before":84459,"sha1_after":"7d7468c317cc19fe6a51fee422587a0ba73cc48d","changed_attributes":["tmp"],"md5_after":"f83dc90cf5c8741856c4451fbb0268da","sha256_after":"c5ad1a8d948db5db523dbc1ff3954b45456b9447f8ae87b423838a5eb2ee"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T06:37:48.883Z","size_after":18,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":96278,"tags":["tmp"],"sha1_after":"2e6321af2181556a2f69728579ca12ea28ce7eed","audit":{"process":{"name":"/etc/sample","id":38259,"ppid":77280},"effective_user":{"name":"LOCAL Service","id":72},"user":{"name":"LOCAL Service","id":59},"group":{"name":"wazuh","id":35}},"md5_after":"34b40606a44c5bc056b4a2eb629ffbe6","sha256_after":"e5d978616713b01db900b07bc8d486eee6a83dae1e2f9f52275b982548fd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T14:55:10.345Z","size_after":50,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":60700,"tags":["tmp"],"sha1_after":"d009d8ee09182260de3ba36ee2b55be62428b3f3","audit":{"process":{"name":"/tmp/sample","id":61102,"ppid":35467},"effective_user":{"name":"Administrators","id":15},"user":{"name":"NETWORK Service","id":90},"group":{"name":"wazuh","id":82}},"md5_after":"ba7ed7356cf0698ad43ff4575c4b0954","sha256_after":"fbd46adeac39e37772f397b58e23c6c9e76d052828820eb4cf83025ed40d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T04:01:14.436Z","size_after":32,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":78682}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T09:59:02.366Z","size_after":33,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":71704}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T09:39:06.564Z","size_after":51,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":70139,"mtime_before":"2023-03-02T09:38:06.564Z","inode_before":47031,"sha1_after":"db8d578c6c20c7c190d8e95fead77cc317f9d8ec","changed_attributes":["inode"],"md5_after":"9a200e01f034571983f4b425830732f1","sha256_after":"4aae6aecd3839fef764e40c51ef3b0657babf3f3dc4f351ffa275ebef609"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T05:35:43.739Z","size_after":8,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":19156,"mtime_before":"2023-03-07T05:34:43.739Z","inode_before":97462,"sha1_after":"d2ba8e13c5508db37e7714943900dea6e1a628a9","changed_attributes":["sha256"],"md5_after":"9911dbb0f7fa1edb30de7c3a15897c40","sha256_after":"5fd698b620b0cbe25ff9a9a9c0758603c4ff17b2d8740f0247842e92ea20"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T15:50:27.088Z","size_after":63,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":44037,"tags":["tmp"],"sha1_after":"30d3c69feb0fa0dec6f24051a864166eb41102ac","audit":{"process":{"name":"/home/user/sample","id":91441,"ppid":98287},"effective_user":{"name":"Administrators","id":58},"user":{"name":"wazuh","id":80},"group":{"name":"suricata","id":15}},"md5_after":"2c83408a908a7b9825ed738fd9a666ec","sha256_after":"c194d54de0db3e52f6857c2319242fffd8058a6a9d4d49f7160fa3b00abc"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T22:25:14.156Z","size_after":36,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":71489}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T01:23:48.874Z","size_after":12,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":87403,"mtime_before":"2023-03-04T01:22:48.874Z","inode_before":69215,"sha1_after":"1f831557d199e15bcdf4784f7a12ee9f99038106","changed_attributes":["tmp"],"md5_after":"b97dc00305d5465c9a59d9f27eaabc01","sha256_after":"e42ae2384285d6e491fa709dff2364089f3223b2504ff9c2d8fa470d1d35"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T20:41:09.712Z","size_after":47,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":37354}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T13:36:26.552Z","size_after":36,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":42394}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T17:45:23.656Z","size_after":31,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":65988,"mtime_before":"2023-03-01T17:44:23.656Z","inode_before":37698,"sha1_after":"13b806b32cea6a21a839a5953aedb2770b7fff8c","changed_attributes":["sha1"],"md5_after":"d124a6aff58d16d097effe04347610b9","sha256_after":"a081e0e16967a5879afd405f00c74110a6efd0f553fdf13b92ab9d32fa3b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T04:07:19.043Z","size_after":24,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":15605}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T18:28:12.851Z","size_after":62,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":6322,"mtime_before":"2023-03-05T18:27:12.851Z","inode_before":88623,"sha1_after":"71a88017658be0bcbe934f39f1e0705040d51190","changed_attributes":["md5"],"md5_after":"d66f8d2181cb4d68ba71d6e267239e86","sha256_after":"5ac6f15126bc8b13978ee18e848d1e33e127f96cd3e316fdc62fccf93d45"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T19:12:50.994Z","size_after":17,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":9997}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T15:24:53.397Z","size_after":29,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":45293}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T13:19:41.972Z","size_after":30,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":7719,"mtime_before":"2023-03-07T13:18:41.972Z","inode_before":53503,"sha1_after":"268abae8d4ae9184b50c84cb33a96d48fd56fa28","changed_attributes":["inode"],"md5_after":"15e28bc0b7ce8f6d813fbc6686dfea9a","sha256_after":"51c8f1219905cc6bda290d7b4960b83d76056b48749fc188cbf4c0eea60c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T21:10:34.899Z","size_after":10,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":27947,"tags":["tmp"],"sha1_after":"50a210a3a8779abf87f7b4b694c6466b18f62d40","audit":{"process":{"name":"/etc/sample","id":84909,"ppid":73127},"effective_user":{"name":"Administrators","id":4},"user":{"name":"wazuh","id":60},"group":{"name":"SYSTEM","id":94}},"md5_after":"b3590f53e918beeba15511c113802ad3","sha256_after":"738b82ae7b53672c8edbdf6c9c8f4fc13e2afd6e1783fb344ce62562ea18"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T05:15:22.730Z","size_after":6,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":78140}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T04:02:49.571Z","size_after":56,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":23493}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T03:37:21.645Z","size_after":9,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":78806,"mtime_before":"2023-03-06T03:36:21.645Z","inode_before":50749,"sha1_after":"6a31ff334b325585e26ed384ee348fa719232888","changed_attributes":["sha256"],"md5_after":"405d0d63ba1ff34742606e6e88749ae6","sha256_after":"cf3bfea5f22acbbdb2f1c3cdc9eca3a590f24eedecda206bcad639a37b51"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T12:13:56.441Z","size_after":62,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":22872,"tags":["tmp"],"sha1_after":"27f5b067168185c1994cf1979f8b6b0fc5256713","audit":{"process":{"name":"/etc/sample","id":85256,"ppid":25317},"effective_user":{"name":"wazuh","id":92},"user":{"name":"suricata","id":42},"group":{"name":"ec2-user","id":34}},"md5_after":"150fb7562472c6edc853e0ef9c7c99c4","sha256_after":"cb339a2460e9b7941f2dfa0e261cfb449ca76eedd751774d7dafbf68b5e1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T20:44:36.897Z","size_after":62,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":15305,"mtime_before":"2023-03-03T20:43:36.897Z","inode_before":15968,"sha1_after":"8ccaca7cc263ffc1adb58575fa587e01b6b69aea","changed_attributes":["md5"],"md5_after":"fa2bd99e4caf19d2fa672658fa9d966b","sha256_after":"3710849c9800bbc951e4d9669a4db104d7716d392ece3df282b479103d58"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T05:42:59.974Z","size_after":56,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":91705}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T03:23:21.081Z","size_after":58,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":32487}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T23:14:58.156Z","size_after":41,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":24534,"mtime_before":"2023-03-02T23:13:58.156Z","inode_before":64084,"sha1_after":"dabbde246ecc759a794e7fe5bef7880029c93422","changed_attributes":["sha256"],"md5_after":"44fc9e2065f3a63a0900eaeda78aa002","sha256_after":"c82248dc7a567aa1e5800c35af82a8bb186e0fd3196fadab8892a995090e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T16:07:37.877Z","size_after":34,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":33711}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T12:43:51.607Z","size_after":45,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":92949,"mtime_before":"2023-03-06T12:42:51.607Z","inode_before":15672,"sha1_after":"7c29be07570e02c327185c416c5d3e41596ec74a","changed_attributes":["md5"],"md5_after":"c72e5fa2b03bcebfce3b7c62d85d8818","sha256_after":"464f79ab284674c866fb67988098410e9683f3250d40925708252a3faed8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T05:04:35.757Z","size_after":59,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":32925,"mtime_before":"2023-03-08T05:03:35.757Z","inode_before":69127,"sha1_after":"338f146e49c43f96b61db3d27ab0d4abe40682d0","changed_attributes":["mtime"],"md5_after":"a9164b9d0d537c0b421923ab8b1c0a96","sha256_after":"976dc2ed6545fefcf135aa62c36c57fc93259c2bfefe8b583b2eab53090b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T23:11:57.594Z","size_after":19,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":82122,"mtime_before":"2023-03-03T23:10:57.594Z","inode_before":70209,"sha1_after":"49301f95107ccc9496b3914615c5d67b209642e5","changed_attributes":["sha256"],"md5_after":"2b00c4ecbd382e80cc08d34d3d2b51c7","sha256_after":"52300bec56cdffddb05f78458d0f6da69f61267b02d4490d7359dcf446d0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-08T01:31:55.265Z","size_after":21,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":90380,"tags":["tmp"],"sha1_after":"115119b6d30a3df9b0851705544c39fc931f4f15","audit":{"process":{"name":"/tmp/sample","id":17585,"ppid":35499},"effective_user":{"name":"wazuh","id":44},"user":{"name":"root","id":38},"group":{"name":"Administrators","id":5}},"md5_after":"9a9b3564592b627a063fa82468114e06","sha256_after":"b77ffecf770dd335e7da469ae60884f13f7ad40a57bd87ab70b1ce1dc246"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T07:44:35.937Z","size_after":3,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":12212}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T09:08:06.296Z","size_after":24,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":43199}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T05:06:41.714Z","size_after":20,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":85199,"tags":["tmp"],"sha1_after":"262b583e51addbdd5a1b7abfc89d27c576b6bc5d","audit":{"process":{"name":"/tmp/sample","id":70874,"ppid":69775},"effective_user":{"name":"Administrators","id":29},"user":{"name":"wazuh","id":75},"group":{"name":"ec2-user","id":34}},"md5_after":"a4781dd19a5ef01f30cc584f2cee64ee","sha256_after":"e0a235901cb3dbf40f9f9b268d6c5b0b714c20bc8cb6b2ef8cb9c529c414"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T01:13:01.350Z","size_after":41,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":11311,"mtime_before":"2023-03-07T01:12:01.350Z","inode_before":25391,"sha1_after":"7a64eaaf806ba76f0a8c91af0b6c0bccb382d430","changed_attributes":["md5"],"md5_after":"5b7a7a181225a5172eb7498d966e2c3a","sha256_after":"bf48beadc196ec0ff0d01bfbfd6be851c197f945b2c639e454f6db56fcc3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T23:20:03.136Z","size_after":63,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":22287}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T08:18:29.080Z","size_after":10,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":29054}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T12:14:32.262Z","size_after":38,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":29277,"tags":["tmp"],"sha1_after":"c3e2edb25612d1583746516097a36a0ea92e5b88","audit":{"process":{"name":"/etc/sample","id":96381,"ppid":14991},"effective_user":{"name":"Administrators","id":47},"user":{"name":"ec2-user","id":11},"group":{"name":"ec2-user","id":40}},"md5_after":"2313f26b4b36a76348d78af92d901457","sha256_after":"368c2b2c7147ccaf2b9f3dd70b6b25ddc768636b823b36f43e485a65dc4c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T08:35:42.415Z","size_after":37,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":38520}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T00:20:36.623Z","size_after":18,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":35496}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T01:53:00.461Z","size_after":11,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":4678}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T14:08:25.155Z","size_after":22,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":11459}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T14:52:47.336Z","size_after":13,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":91641,"tags":["tmp"],"sha1_after":"ef94030d9ab39474da48e51d358e3039f4535dd7","audit":{"process":{"name":"/home/user/sample","id":26775,"ppid":37313},"effective_user":{"name":"wazuh","id":66},"user":{"name":"ec2-user","id":6},"group":{"name":"LOCAL Service","id":10}},"md5_after":"d0b4b2ad08e51924f6c16025532146a1","sha256_after":"bb7c1ef74b2730be93305d416b638558361c1675e16dc6d422982af98e11"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T14:26:46.285Z","size_after":57,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":77356,"mtime_before":"2023-03-01T14:25:46.285Z","inode_before":17533,"sha1_after":"01a3cd429c16da9306e7c750b0d46f48f545ffb8","changed_attributes":["inode"],"md5_after":"f9f929895352f969729d895ab0181ce4","sha256_after":"61f8586fa4b5ef5acf0a864164801c7f9eac8423720a7dbafafe637b36cb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T09:42:19.953Z","size_after":8,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":36381}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T15:46:13.435Z","size_after":48,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":98859,"tags":["tmp"],"sha1_after":"5e8b82305401221e6cbd6191ae12ad6ef1cd514a","audit":{"process":{"name":"/home/user/sample","id":71111,"ppid":79342},"effective_user":{"name":"LOCAL Service","id":7},"user":{"name":"suricata","id":17},"group":{"name":"NETWORK Service","id":78}},"md5_after":"534725844e0ef34179ac1e665f6ee040","sha256_after":"c3c71c309345479a3dcb7297992f4c795bcd6d06bcb3dcf764c1df723960"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T02:01:20.777Z","size_after":1,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":64335}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T06:06:53.011Z","size_after":38,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":68447}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T06:18:15.163Z","size_after":48,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":3032}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T20:07:27.792Z","size_after":9,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":48857}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T08:42:29.595Z","size_after":25,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":14925}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T23:15:57.200Z","size_after":3,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":87040,"tags":["tmp"],"sha1_after":"fb6b9ae19640aadbdc5ec322f5566c55501fe2b6","audit":{"process":{"name":"/home/user/sample","id":3805,"ppid":35249},"effective_user":{"name":"NETWORK Service","id":68},"user":{"name":"SYSTEM","id":32},"group":{"name":"root","id":76}},"md5_after":"a179e24a4ae08d918a47d779f98708f0","sha256_after":"b449e58555e5d14f962b703b604144886053958e9a9822bd596780a9eec7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T13:31:55.929Z","size_after":4,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":72160}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T14:55:22.448Z","size_after":57,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":96438,"mtime_before":"2023-03-03T14:54:22.448Z","inode_before":33833,"sha1_after":"f0b98b2a33382088340644e747efdfbf0539781b","changed_attributes":["sha1"],"md5_after":"503b3c9f097e17e5be62e2698f15e258","sha256_after":"3713075e4bc1552aa2b9c99fb4b551d97260e7c6aa834df534ba3d0d6de5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T18:10:58.759Z","size_after":7,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":45888}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T06:34:12.321Z","size_after":31,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":64164}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T08:47:33.308Z","size_after":64,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":17529,"mtime_before":"2023-03-04T08:46:33.308Z","inode_before":39289,"sha1_after":"431add917c4bd572faba712797a664fcd5587edf","changed_attributes":["size"],"md5_after":"d70077ac60bcb91f5d9c7a7479492b38","sha256_after":"36d5c80bf1ec3fa1d8dfeadf9a01ef467c52005d9db737a6a8fd3d5627f3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T23:21:10.509Z","size_after":57,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":86492,"mtime_before":"2023-03-02T23:20:10.509Z","inode_before":63557,"sha1_after":"be3e49e3e1b5da084d03b862ca019214f41b2211","changed_attributes":["tmp"],"md5_after":"2970354e848d9f064579c1396da1170d","sha256_after":"28a2240595da625cbcb90b83de18d9ea4e7fbf7c9fd56301a204d047dca8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T23:59:27.330Z","size_after":44,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":41298}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T05:29:10.154Z","size_after":59,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":66286,"tags":["tmp"],"sha1_after":"816f1e5d7b5071573ebf369d364ed8aeed7bbb81","audit":{"process":{"name":"/home/user/sample","id":29647,"ppid":75822},"effective_user":{"name":"Administrators","id":86},"user":{"name":"root","id":16},"group":{"name":"ec2-user","id":63}},"md5_after":"e594144304aad3c4a75005a4c1bc98f1","sha256_after":"ad789d0af5afddf02e9027d167586dc831fcb38151c115a92e07b537c2a7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T04:24:54.617Z","size_after":57,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":23222,"mtime_before":"2023-03-03T04:23:54.617Z","inode_before":80050,"sha1_after":"c2008de66c1377c1ccf65944da9377fe70e54d27","changed_attributes":["sha1"],"md5_after":"ee96e062674c1553471011ecbb586fe2","sha256_after":"c08095becf477463a50dff8c14b39bcd5ca908b5485ad4d512be039c2219"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T11:28:59.876Z","size_after":5,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":23860,"tags":["tmp"],"sha1_after":"e75834a79739e3c0d81f6bd7af0696eac1f6e50f","audit":{"process":{"name":"/etc/sample","id":32919,"ppid":76766},"effective_user":{"name":"root","id":95},"user":{"name":"LOCAL Service","id":79},"group":{"name":"NETWORK Service","id":59}},"md5_after":"6e476ee630475670fef6f3e5f7f274a4","sha256_after":"3e7140fe12d16ddfc7cf21e68d84eccb69dd49e7dd37b1fb7350b169efe5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T04:22:00.873Z","size_after":34,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":92373,"tags":["tmp"],"sha1_after":"e3bff8dd6dfaa65128f0ce59aac4eaca31a54378","audit":{"process":{"name":"/home/user/sample","id":70193,"ppid":16225},"effective_user":{"name":"LOCAL Service","id":25},"user":{"name":"LOCAL Service","id":51},"group":{"name":"suricata","id":0}},"md5_after":"3f8983de6c4efa0537fa654a874def83","sha256_after":"ba8d96315e197045d95921715d01dec9c7333f3cf5b5faf6d45da75a1575"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T18:45:29.737Z","size_after":11,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":73620,"tags":["tmp"],"sha1_after":"342e50e120d084ff768e41e77c739ce163c037c0","audit":{"process":{"name":"/home/user/sample","id":18687,"ppid":33550},"effective_user":{"name":"root","id":24},"user":{"name":"Administrators","id":38},"group":{"name":"root","id":73}},"md5_after":"ccd914f8115b1eb5969537d635a631c8","sha256_after":"05a82b0e3eae232601d32f982bfe1bcc2056aeb670386b4ccc962929459d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T05:49:45.758Z","size_after":39,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":12217,"mtime_before":"2023-03-06T05:48:45.758Z","inode_before":5533,"sha1_after":"7928f8c8d7f14e5f52b05c8082d435b5d2d62309","changed_attributes":["inode"],"md5_after":"cf33a024a005345f1a96881b4d34ee8d","sha256_after":"1f959dfe63e9e5c1b6ece25aa930d8189ca3eb31760be82c8ab6831c5c20"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T23:51:49.732Z","size_after":3,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":59267}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T12:18:06.841Z","size_after":44,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":28346,"mtime_before":"2023-03-03T12:17:06.841Z","inode_before":49767,"sha1_after":"043e038b717d4e633a2f80cb364445e0f6f5a62f","changed_attributes":["md5"],"md5_after":"5902c50963b259e96ba463516334b48d","sha256_after":"61d87b06a6f47c66e350edd3b979f189f072953ceac920c8ad5da0cd2155"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-08T04:21:40.839Z","size_after":8,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":46427,"mtime_before":"2023-03-08T04:20:40.839Z","inode_before":30258,"sha1_after":"2d30d61033659c11f834b39cd02a1fe89fb5db95","changed_attributes":["inode"],"md5_after":"8db7e5e2667bac8bec8763a3664db105","sha256_after":"3c0bf58e9962e4adee655fc4ad1cbb86f12cd90bfe85dc43eaf0e6dfeddc"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T18:22:34.667Z","size_after":28,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":96682}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T05:57:33.575Z","size_after":3,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":20906,"tags":["tmp"],"sha1_after":"89f2199cf1dc7b19bca623c369b20e54ec5c137d","audit":{"process":{"name":"/home/user/sample","id":53012,"ppid":57227},"effective_user":{"name":"LOCAL Service","id":77},"user":{"name":"root","id":67},"group":{"name":"suricata","id":70}},"md5_after":"859057960c533e4aa227514b7e592ca8","sha256_after":"7b573fb7ebc4e347f2d28ca4c88346b43a1b7dfda22d99529b74c4f8198d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T07:41:50.428Z","size_after":59,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":95777,"mtime_before":"2023-03-05T07:40:50.428Z","inode_before":67550,"sha1_after":"2e001a79fc98aeeb2dab054640e04e741b53388c","changed_attributes":["tmp"],"md5_after":"1bcde6275a38aa4c53439f567138fab8","sha256_after":"1d80653260890ffc45fff446a26302c26333c9bb1447c9f08f20fac67b0e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T17:47:39.760Z","size_after":16,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":52094,"tags":["tmp"],"sha1_after":"215be41a7543aafe153251ea59617ea58e5cea8c","audit":{"process":{"name":"/tmp/sample","id":8673,"ppid":75996},"effective_user":{"name":"Administrators","id":64},"user":{"name":"NETWORK Service","id":12},"group":{"name":"root","id":92}},"md5_after":"7a236ca3c2f431d293270833f9095717","sha256_after":"518ae3a6fcce9adba613f5f503ee9ad0b38a0f2e7b0add5fc485dc39da9c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T16:07:34.406Z","size_after":65,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":58152,"tags":["tmp"],"sha1_after":"c35d56175afb49b1225e3f58157c26588a4c8956","audit":{"process":{"name":"/home/user/sample","id":23482,"ppid":39296},"effective_user":{"name":"wazuh","id":37},"user":{"name":"root","id":9},"group":{"name":"SYSTEM","id":76}},"md5_after":"c7dd912b836491e9c78b18a0ee3d0530","sha256_after":"498403400fc906859e340c492e9a8ddfdd2c9ca2d77672803c8daf58eccb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T22:38:27.095Z","size_after":42,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":56537,"tags":["tmp"],"sha1_after":"6da2af1fc8b7271e667b4037eb1547d46eda6b78","audit":{"process":{"name":"/etc/sample","id":40501,"ppid":27576},"effective_user":{"name":"ec2-user","id":34},"user":{"name":"Administrators","id":22},"group":{"name":"NETWORK Service","id":23}},"md5_after":"bee7bc0442b8e79a2a5b09d572263614","sha256_after":"60d53a4604b0e66a142db3fe97e90005f2e658696adff128bf809351814d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T13:18:11.472Z","size_after":9,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":92969,"mtime_before":"2023-03-05T13:17:11.472Z","inode_before":64457,"sha1_after":"8d12840c6c2740e91c7513dfc57c6ef24bb7b5e7","changed_attributes":["md5"],"md5_after":"e24403a26add9ec252a2bbf25b8a3a7e","sha256_after":"57b71e0649625f3c2c76f1176f04d9a5b2eb8f92f68304c5bd94d43618e7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T06:01:14.649Z","size_after":22,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":39716,"mtime_before":"2023-03-02T06:00:14.649Z","inode_before":39699,"sha1_after":"5d720dfa669d07f31b466659edf9297bfa4d4966","changed_attributes":["md5"],"md5_after":"e77f2ae567cd6a44ec117b02c1651d11","sha256_after":"db9900f0c3cc375177927c00b0135e0953a378f7592b6605296e1f4207e8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-08T06:17:55.162Z","size_after":12,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":21594,"mtime_before":"2023-03-08T06:16:55.162Z","inode_before":16422,"sha1_after":"b3011694b475bf8d0ad5bba4458845d7df3df5ae","changed_attributes":["sha256"],"md5_after":"4ad12a23ff68e5ecd3f8cc4cb0b21648","sha256_after":"afbaf3c3263eddd12439a61578256acfaa9cbf9db6b26d9cd1a0f25ef054"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T13:02:36.048Z","size_after":45,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":25857,"mtime_before":"2023-03-07T13:01:36.048Z","inode_before":21210,"sha1_after":"46b78b6008ea5c095ddf18a41b7b81d73672eec8","changed_attributes":["inode"],"md5_after":"0164a2e9c37958bdd4f89a3ebd118e0b","sha256_after":"cf508ccc6da354b6c21b6e29a628fff485dcf0df22b36df6f53377b7391f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-01T13:40:16.491Z","size_after":12,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":27638,"tags":["tmp"],"sha1_after":"4cfce8b27a338906fcd5971e944203eb377939f5","audit":{"process":{"name":"/etc/sample","id":40545,"ppid":52506},"effective_user":{"name":"LOCAL Service","id":4},"user":{"name":"ec2-user","id":89},"group":{"name":"suricata","id":2}},"md5_after":"076250ad560f79881fb372bc6f12b817","sha256_after":"dee5fbb69dc588a006ee78ab1ef62d861bd8265b59e3a0fd7551841fdca1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T04:54:48.999Z","size_after":10,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":10106}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T02:24:02.309Z","size_after":4,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":38100,"tags":["tmp"],"sha1_after":"6277b3e965c5ba81565157bb9c9012cc7eab0837","audit":{"process":{"name":"/home/user/sample","id":22732,"ppid":53258},"effective_user":{"name":"SYSTEM","id":23},"user":{"name":"NETWORK Service","id":63},"group":{"name":"root","id":8}},"md5_after":"4b3de77a9a06e80b0493cb843af4b001","sha256_after":"7018ceb5667acecb2f6051b0134e8973b1295fdd684461730f49a0f140d2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T23:45:50.902Z","size_after":46,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":41048}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T01:52:29.279Z","size_after":7,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":69258}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T16:41:02.076Z","size_after":37,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":82976,"mtime_before":"2023-03-07T16:40:02.076Z","inode_before":49018,"sha1_after":"0d1f11eccdc5b7e07cf1adc90c97b4b9c3b076e7","changed_attributes":["size"],"md5_after":"91c366a827fdfcaf68629133a1a64204","sha256_after":"fd59cea9a91d362ac7460031f2a1b595f1ff9f6e1cdcfb5be909464ea369"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T15:22:38.920Z","size_after":34,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":17442,"tags":["tmp"],"sha1_after":"34c2bfe45b088d049432da280bb1159919ab7e69","audit":{"process":{"name":"/etc/sample","id":90336,"ppid":5188},"effective_user":{"name":"ec2-user","id":91},"user":{"name":"ec2-user","id":11},"group":{"name":"root","id":60}},"md5_after":"db42193b6ad2f18645e7c8a653102bd1","sha256_after":"e0dd95fc2aa35a9a296775db44b7d34fc5c7e929fc94a2678d2f2d95ccb1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T20:06:09.419Z","size_after":0,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":63029,"tags":["tmp"],"sha1_after":"0ffbde0ff1b4a58991aac0ab38ca0dc13765d9ad","audit":{"process":{"name":"/etc/sample","id":7154,"ppid":14158},"effective_user":{"name":"suricata","id":64},"user":{"name":"root","id":85},"group":{"name":"root","id":59}},"md5_after":"1aea09fb9d614700e866c760ddd418f2","sha256_after":"8f85c21624d98037003160fd87591e792f3b667f7f5feedd2b651323325c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T02:35:16.903Z","size_after":27,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":3108}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T20:28:55.374Z","size_after":18,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":34136,"mtime_before":"2023-03-03T20:27:55.374Z","inode_before":20442,"sha1_after":"3f35f20799d5f0b67acf7b7059b4a11231406b39","changed_attributes":["sha1"],"md5_after":"235faa238b68d4465d4fcea26786be4a","sha256_after":"0e57bf15ee0ba39dec1b8bac586957cd62df0cf6d23fa67252b038d01b14"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T09:11:34.681Z","size_after":43,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":51732,"mtime_before":"2023-03-02T09:10:34.681Z","inode_before":45388,"sha1_after":"0f768939454f35199c2086d9c3f9347f5806d90c","changed_attributes":["sha1"],"md5_after":"2646eb51fde041ca55814db2f87b051c","sha256_after":"ed3ec69662116dd7497aa8b680608d80c9a208571d458db618143d061ca8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T02:49:35.825Z","size_after":34,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":62524,"mtime_before":"2023-03-03T02:48:35.825Z","inode_before":68362,"sha1_after":"7ab7ccc929e27ab6cccaf433395797173b9ec329","changed_attributes":["inode"],"md5_after":"c52fd15532c963c3a181fb897ec50db5","sha256_after":"dd123d84bb6bd16294a7af69d081fdf343520423acf456c9e1351a3a9b2f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T05:52:51.363Z","size_after":42,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":56118}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T11:32:36.469Z","size_after":16,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":7962,"mtime_before":"2023-03-02T11:31:36.469Z","inode_before":91585,"sha1_after":"f45b9e1c9833a495146a99b16f44bfd1959fe8db","changed_attributes":["sha256"],"md5_after":"47ab5cdd6027f2e3b1a1aad77d8b1f14","sha256_after":"84352dde5c3c7de39d3fbc874e23b3d944e8a11c619af60b372605b9c2fa"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T06:07:44.787Z","size_after":44,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":77305}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T21:14:58.296Z","size_after":41,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":94243,"tags":["tmp"],"sha1_after":"e182a10f8856d4c8ad327f1ba2e184f6bb00119d","audit":{"process":{"name":"/home/user/sample","id":78949,"ppid":28261},"effective_user":{"name":"wazuh","id":49},"user":{"name":"SYSTEM","id":45},"group":{"name":"suricata","id":79}},"md5_after":"41d85d1193d56468409a1298d4dade56","sha256_after":"29a4c0ca02a6460655861a9bfd13b88468442c6b492a184077c3c9414cc5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T16:43:24.801Z","size_after":57,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":82143}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T09:15:05.467Z","size_after":22,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":93786}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T11:12:14.148Z","size_after":33,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":72323}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T02:57:54.048Z","size_after":65,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":92913}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T05:01:37.110Z","size_after":2,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":52722,"mtime_before":"2023-03-07T05:00:37.110Z","inode_before":69106,"sha1_after":"fde8e8f8a21035da50db01a3ec0f094ed3c9718b","changed_attributes":["size"],"md5_after":"65ce12e657a6ea383bc7086bd9e760e2","sha256_after":"e96c9b9e010f493a161e01692f2a873deba46810d898bb3709bce2072040"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T12:41:43.307Z","size_after":8,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":75722,"tags":["tmp"],"sha1_after":"c18f661edd1213c8bf7ee4d668d802a3e0b478cb","audit":{"process":{"name":"/etc/sample","id":13383,"ppid":31288},"effective_user":{"name":"SYSTEM","id":100},"user":{"name":"NETWORK Service","id":72},"group":{"name":"suricata","id":15}},"md5_after":"7ac218e349e50973f5a9def63f2dfe6e","sha256_after":"9a32485f958c6ed96da0b8629be53d70ca33203516e22932c3de3e13046a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T10:40:24.372Z","size_after":49,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":77520}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T23:49:52.879Z","size_after":11,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":57444,"mtime_before":"2023-03-06T23:48:52.879Z","inode_before":53296,"sha1_after":"d73a93116932e92afa2d483ebabda2efd2b32d59","changed_attributes":["sha1"],"md5_after":"64018e2e83bb0ae12c5ec85d14876c41","sha256_after":"e68c058f73c6354a26fe4077a581c8e48677392ab129d5e9d3071f0f2681"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T04:15:13.731Z","size_after":48,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":43262,"mtime_before":"2023-03-07T04:14:13.731Z","inode_before":60221,"sha1_after":"09ef82fdd560b6d18a18d0ecbfc1cbfa0f29fe77","changed_attributes":["sha256"],"md5_after":"172a16bec005b66749bc24775412204c","sha256_after":"3562cfd0166ae27fd5b57dd430b080e4d6e7ef1b5f5898cf5288fb43c813"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T01:51:39.176Z","size_after":1,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":93993,"mtime_before":"2023-03-03T01:50:39.176Z","inode_before":97127,"sha1_after":"7d5a47f82c30a3d251c9f4cda6a75db8652a7883","changed_attributes":["inode"],"md5_after":"3b2d97a1cea268383f5b766e04e48f0e","sha256_after":"b2a9f49a5f2b6dbf1e277bbbf259c0060059faea70e37d27ce26e18adc74"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T14:46:04.686Z","size_after":50,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":85955,"tags":["tmp"],"sha1_after":"fd3e13ee12ea2f46a2cdd52b082bad6cb1bca1b1","audit":{"process":{"name":"/home/user/sample","id":16184,"ppid":691},"effective_user":{"name":"suricata","id":40},"user":{"name":"suricata","id":86},"group":{"name":"ec2-user","id":26}},"md5_after":"c5cb98bd938090c02ec1cdb2481b7d9b","sha256_after":"cb1920eb69e2c9e6a6b3445ddadf6510c98d244771c759bcfffe9d4e8f09"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T08:54:53.047Z","size_after":48,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":9783,"tags":["tmp"],"sha1_after":"9ae9442005e4953ade2d1e6191368f8500deed61","audit":{"process":{"name":"/tmp/sample","id":63435,"ppid":48307},"effective_user":{"name":"LOCAL Service","id":29},"user":{"name":"suricata","id":66},"group":{"name":"suricata","id":28}},"md5_after":"3af0f944a9f9001daa870757d9215038","sha256_after":"28378b97dae0592b1d1f63958bbc98b1eb2b008e6b7a7689574bf65c55ee"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T04:40:32.318Z","size_after":47,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":72968,"tags":["tmp"],"sha1_after":"a05583619d7a795971da7b6ff753b068f5f0e42f","audit":{"process":{"name":"/home/user/sample","id":26358,"ppid":84855},"effective_user":{"name":"NETWORK Service","id":60},"user":{"name":"NETWORK Service","id":30},"group":{"name":"LOCAL Service","id":36}},"md5_after":"0b50f13226990a2328a16e06101fc128","sha256_after":"2b2d569364bda1d713e7bdf3a6d31495716f59128272766478f70654cfd2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T18:19:42.397Z","size_after":53,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":57270}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T18:39:48.908Z","size_after":37,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":20433}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T20:13:27.716Z","size_after":14,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":36458,"tags":["tmp"],"sha1_after":"9723f3254e0cdd5abf8221decde8a1f4b4056e7d","audit":{"process":{"name":"/tmp/sample","id":85272,"ppid":43993},"effective_user":{"name":"Administrators","id":41},"user":{"name":"ec2-user","id":54},"group":{"name":"NETWORK Service","id":47}},"md5_after":"b9374b2661b4cd5af6b6ab348a908dfa","sha256_after":"c128a38944e83365dee663c202a5de2241c7d877831992bbe9f47dcba7fe"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T13:27:19.288Z","size_after":44,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":2545,"tags":["tmp"],"sha1_after":"e338555c2ad0e8857e3f870c9caaed09a669bfe9","audit":{"process":{"name":"/home/user/sample","id":28850,"ppid":89299},"effective_user":{"name":"LOCAL Service","id":8},"user":{"name":"wazuh","id":25},"group":{"name":"SYSTEM","id":6}},"md5_after":"96d0f3c509b7e8b2b687bd25c8112a78","sha256_after":"0ffb27f712296c4015d20a90c26dee0f2f0e71182f9256583d5e79de3dc8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T03:20:48.216Z","size_after":10,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":49592,"tags":["tmp"],"sha1_after":"6fd8af892d31a74d4ccde6ea2c8c38da92371653","audit":{"process":{"name":"/etc/sample","id":43101,"ppid":76708},"effective_user":{"name":"ec2-user","id":87},"user":{"name":"SYSTEM","id":69},"group":{"name":"root","id":17}},"md5_after":"75f58c31d167cb97dec37c3ac32bf535","sha256_after":"3427a7cb35c553f69deb4644d4c9344b761c4c753accde77c54fb1aa7af5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T22:59:55.965Z","size_after":21,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":58282}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T03:19:59.311Z","size_after":56,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":14029,"mtime_before":"2023-03-04T03:18:59.311Z","inode_before":60224,"sha1_after":"e78b723c855800ed901d45a662935b38709d5f8b","changed_attributes":["tmp"],"md5_after":"bc8ac723d02530c9097441108f793bc3","sha256_after":"66562469691b91e4efc35391c35ed05b83ae0a04842b314b07cfdae9bd4a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T09:22:24.794Z","size_after":61,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":60918,"tags":["tmp"],"sha1_after":"b1033252fd0a581d7f69fd30711213d503d5719b","audit":{"process":{"name":"/etc/sample","id":53857,"ppid":20425},"effective_user":{"name":"ec2-user","id":3},"user":{"name":"ec2-user","id":43},"group":{"name":"ec2-user","id":26}},"md5_after":"45da36d5fb4aa1fce404aaba5cdb6114","sha256_after":"10fefcc99940627a8a0c3796eecb058147f1992c3df333d5400a97503cce"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T07:19:02.373Z","size_after":48,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":40485,"mtime_before":"2023-03-05T07:18:02.373Z","inode_before":35746,"sha1_after":"c51abb27917d7125932a97dc18cfdf2aaaec01ce","changed_attributes":["inode"],"md5_after":"07a35c430dc699592c63255aba4c640a","sha256_after":"188849a2f4f4bc38013f50fb7f399416ed952d266fbbf9d8d1471522cf40"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T22:31:46.106Z","size_after":19,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":9063,"mtime_before":"2023-03-02T22:30:46.106Z","inode_before":87159,"sha1_after":"08c042b7a721317a2c25b0e7740d712ca7862a7b","changed_attributes":["mtime"],"md5_after":"300be741d351ad878acb1932257e6a42","sha256_after":"79cb18bb83db2249eafd1c2c417c87fd01e42231538e75ab5bd336bb81d8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T09:22:25.520Z","size_after":55,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":48081,"tags":["tmp"],"sha1_after":"30d888a37b0181e94be0bbaf6cc6e9db602d6445","audit":{"process":{"name":"/home/user/sample","id":24131,"ppid":63557},"effective_user":{"name":"LOCAL Service","id":27},"user":{"name":"SYSTEM","id":89},"group":{"name":"wazuh","id":81}},"md5_after":"5db8834df63da013a00a322abd31065f","sha256_after":"5cd15aaf8c2d5c96a4be294252e9b04b759cb29462466dd701967cc34fe7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T23:53:06.657Z","size_after":64,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":44806}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T19:14:31.488Z","size_after":47,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":66456}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T21:36:31.417Z","size_after":3,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":4163,"mtime_before":"2023-03-03T21:35:31.417Z","inode_before":30505,"sha1_after":"ecda30b9ddca5e43fa1effada1c3392419e179b7","changed_attributes":["tmp"],"md5_after":"3824095e4e6cabd5cf331c75fbbbc373","sha256_after":"23257e1985e26928a044fa28434e38b7004109e746937b9bc5fa861dd73f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T07:13:04.881Z","size_after":11,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":97732,"tags":["tmp"],"sha1_after":"191c5f0a1e2616321ea4b6f6649d2028e164e83a","audit":{"process":{"name":"/home/user/sample","id":52220,"ppid":42117},"effective_user":{"name":"NETWORK Service","id":2},"user":{"name":"wazuh","id":55},"group":{"name":"suricata","id":50}},"md5_after":"9064aad91cd60901d7608f99f0fb40d8","sha256_after":"c189d9055c7c966a53bc83ddf21ce55859bb04ee0177f684605eb884dbee"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T16:45:24.830Z","size_after":45,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":91384,"tags":["tmp"],"sha1_after":"6f4cad90aa30fdb977bb3ba3a7f737f4eb922c2a","audit":{"process":{"name":"/tmp/sample","id":53339,"ppid":33840},"effective_user":{"name":"Administrators","id":90},"user":{"name":"suricata","id":68},"group":{"name":"root","id":23}},"md5_after":"aa1ec1b092175f4f3ad103b5b7812058","sha256_after":"2628ff6b91b6e16e70237158ad0a4aae390267a5a95238608f5354f77ae5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T14:24:33.907Z","size_after":10,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":25082,"tags":["tmp"],"sha1_after":"ddda4e8ec558702ad37c75cf48f020a3c2d531b6","audit":{"process":{"name":"/etc/sample","id":40729,"ppid":53946},"effective_user":{"name":"suricata","id":31},"user":{"name":"wazuh","id":22},"group":{"name":"NETWORK Service","id":96}},"md5_after":"efd54b7db71b386222f7d0ae87c2360e","sha256_after":"c9c13edd40d0d2844cdc0f7d4b02b55c2341ac5bc893ee7816e6895afcf4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T03:25:05.406Z","size_after":26,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":75317,"tags":["tmp"],"sha1_after":"16139f7b88304bc7b4ab1f97f3982fe92406cc25","audit":{"process":{"name":"/home/user/sample","id":25252,"ppid":41656},"effective_user":{"name":"Administrators","id":4},"user":{"name":"ec2-user","id":46},"group":{"name":"suricata","id":2}},"md5_after":"717840a9d35a047acb84526716027866","sha256_after":"f35b1d34a85d466765fd2f8da107e7820db2fd747cae490723211b2c2493"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T18:23:26.435Z","size_after":6,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":35186}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T23:53:55.963Z","size_after":20,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":56035}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T08:19:34.914Z","size_after":0,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":98762,"tags":["tmp"],"sha1_after":"20892667f93b1ca07cefd1f19a004b31256b2ee0","audit":{"process":{"name":"/tmp/sample","id":12917,"ppid":85366},"effective_user":{"name":"ec2-user","id":74},"user":{"name":"SYSTEM","id":74},"group":{"name":"ec2-user","id":93}},"md5_after":"dc79821b908911ccb735d3e2042a717e","sha256_after":"4a44157d1c1380c61afc63767d5378b03a385860b0bc094aafbc716149e8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T14:00:52.594Z","size_after":50,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":31917}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T23:30:45.786Z","size_after":18,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":2236,"mtime_before":"2023-03-07T23:29:45.786Z","inode_before":90447,"sha1_after":"bf1326888bd8e1c51091d105dab552d7c01bfef8","changed_attributes":["inode"],"md5_after":"66c4c8ee3d1f34da5d3b7e34b74cba6d","sha256_after":"00f5fa9e9198c69b168f13a618ff70b8f1491238406aaa44e2509f835eed"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T14:16:02.518Z","size_after":51,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":41222}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T14:29:27.657Z","size_after":9,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":86844,"tags":["tmp"],"sha1_after":"841fc59baeb7e8a1b0665b1eaeb65b66021201d4","audit":{"process":{"name":"/home/user/sample","id":32983,"ppid":94711},"effective_user":{"name":"ec2-user","id":60},"user":{"name":"Administrators","id":70},"group":{"name":"root","id":58}},"md5_after":"1e7d00c3e6f221da21a5a83da101adc6","sha256_after":"7f34b12786a27cb43abce324282d7d8f00bacd2994d636e329849b8c483e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T23:38:28.225Z","size_after":17,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":37314,"mtime_before":"2023-03-02T23:37:28.225Z","inode_before":26740,"sha1_after":"a1bae6acc00ad6535180180ba53ff43186f8b727","changed_attributes":["sha256"],"md5_after":"ae70b91dae37cfa43704c5f36006721b","sha256_after":"9e5614a129a9c5e36f9a3dd593538c1377915251f1c59f7ba9780657a495"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-08T07:37:47.312Z","size_after":4,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":77327}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T06:00:24.535Z","size_after":53,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":18417,"mtime_before":"2023-03-07T05:59:24.535Z","inode_before":92425,"sha1_after":"9a250f3eef07bc042de0b666a4eb8e90beb5d937","changed_attributes":["tmp"],"md5_after":"e30b767f9a3027f24bd802ef3d098e7d","sha256_after":"b6ba3d2e7cd29a9082727892abddb6839ba7d5d3eddf3e5ee4b14171aec8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T07:44:00.647Z","size_after":19,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":40403,"tags":["tmp"],"sha1_after":"9e9ed3cde6e04709801ad1d3fce759936c93d07c","audit":{"process":{"name":"/home/user/sample","id":1331,"ppid":71579},"effective_user":{"name":"suricata","id":16},"user":{"name":"root","id":34},"group":{"name":"suricata","id":79}},"md5_after":"628c340d59c4b59197b9f7794d8010ac","sha256_after":"0693b3fb82d23f094f825d69ec08bded73f2c7b4cedb8567c124c8453beb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T17:26:34.673Z","size_after":52,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":2903,"tags":["tmp"],"sha1_after":"24b6f5395e10ad58180a3ffeee35d3ea33b308eb","audit":{"process":{"name":"/tmp/sample","id":45741,"ppid":71355},"effective_user":{"name":"wazuh","id":30},"user":{"name":"root","id":45},"group":{"name":"root","id":21}},"md5_after":"630a4a46e9e4a26db8880c58c2e39afe","sha256_after":"93f6f400c5fbb5bba1c8208e81ca0ae15109a4778b08ad82a6523bf0a643"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T20:59:36.981Z","size_after":21,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":5630}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T00:58:26.501Z","size_after":46,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":60360,"tags":["tmp"],"sha1_after":"ee087ff6a9bde89a5f7a38470e7569a49b63e622","audit":{"process":{"name":"/tmp/sample","id":22430,"ppid":28758},"effective_user":{"name":"ec2-user","id":38},"user":{"name":"NETWORK Service","id":15},"group":{"name":"LOCAL Service","id":22}},"md5_after":"b223ade59e3092ffe86cd236a32561be","sha256_after":"514fddb13a0c0c876166b4b56f031bd887f6804b5d2ffbb42c33000fed00"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T09:28:03.734Z","size_after":27,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":49294,"mtime_before":"2023-03-04T09:27:03.734Z","inode_before":57305,"sha1_after":"93212c3c185ce819b212faa23fe2114c1a2d5e9f","changed_attributes":["sha1"],"md5_after":"4e253b01fad87fa83370aa7d5bfe84c0","sha256_after":"d91722840059fadad1e605569118f5cc1be73a5a5a3e126ed44a593e5095"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T05:26:03.214Z","size_after":34,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":11437}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T14:45:36.681Z","size_after":63,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":7812}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-08T08:15:15.097Z","size_after":56,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":62682,"tags":["tmp"],"sha1_after":"f1f8415ef971261ad49becb998912e0b3ef018af","audit":{"process":{"name":"/tmp/sample","id":86238,"ppid":10957},"effective_user":{"name":"root","id":46},"user":{"name":"LOCAL Service","id":40},"group":{"name":"root","id":30}},"md5_after":"2b4cb5db6bf151925b7dae98bc2958ea","sha256_after":"73fd581ab553db360928b99ef331703cb6d1c5ac02304ce9593433d32690"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T18:48:39.543Z","size_after":48,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":58894}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T17:20:54.084Z","size_after":6,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":32500}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T00:35:03.755Z","size_after":43,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":24707,"mtime_before":"2023-03-05T00:34:03.755Z","inode_before":90970,"sha1_after":"3be31294d97715729b81da91fb9820f66acdf4f8","changed_attributes":["tmp"],"md5_after":"da250247d13dcc47b4c1d9a6e99e7225","sha256_after":"6a2ba5bd6a42bbf366b9837b7d7caf37ddd73b6e33e5b6bd63a91898c61b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T22:14:37.660Z","size_after":7,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":61985,"tags":["tmp"],"sha1_after":"7d9eaac602c4ed17966205c269814471ef843c72","audit":{"process":{"name":"/home/user/sample","id":33252,"ppid":70237},"effective_user":{"name":"wazuh","id":30},"user":{"name":"suricata","id":31},"group":{"name":"LOCAL Service","id":97}},"md5_after":"d38ba1f31df0a7775d2a1e81e0670cd6","sha256_after":"be87deb251ef6a7cb44f4fb34bcb78e69c9f065cce0b2a13984f1081f505"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T12:38:08.312Z","size_after":19,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":64726}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T00:07:45.459Z","size_after":10,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":80409,"mtime_before":"2023-03-02T00:06:45.459Z","inode_before":93077,"sha1_after":"6533c86174abd59f9f80a99236804bfd7e8783c3","changed_attributes":["size"],"md5_after":"c4836d8361a2079e6f1748a248718ee8","sha256_after":"2fae43be3cad9965d00a2121166400f9c1e566566be375662b261a74a6bf"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T22:19:42.782Z","size_after":46,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":66501,"mtime_before":"2023-03-01T22:18:42.782Z","inode_before":92137,"sha1_after":"24f79dfe8f8ff0d348c9600dba47a73ad9c3ccde","changed_attributes":["inode"],"md5_after":"6e53e9df0cbe55ab2d7a8bbdef880c2f","sha256_after":"fdad20278ce18e4c1a944ceaac1452e3b8f7041e9a4e3158bc9f43776400"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T21:39:06.261Z","size_after":23,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":25995,"tags":["tmp"],"sha1_after":"d6ff5d400e3009cde4e97822fb270498d52ffc60","audit":{"process":{"name":"/tmp/sample","id":18676,"ppid":31553},"effective_user":{"name":"NETWORK Service","id":2},"user":{"name":"SYSTEM","id":18},"group":{"name":"suricata","id":2}},"md5_after":"65c69ce1ed76b7211d1f820411700ce7","sha256_after":"ed4bd938420a0b57ee2b262c497d3f0a19a1f24a807c0b592cbe373375c1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T06:47:19.645Z","size_after":32,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":51763,"mtime_before":"2023-03-07T06:46:19.645Z","inode_before":68201,"sha1_after":"6fb5e06cf0a7dc13454ae2df269d0916e8b92aea","changed_attributes":["size"],"md5_after":"2e139dbaf32052c7c528018d68d4f768","sha256_after":"11eba0e4a942a440118728cee283c5a0d909cc46d37a6b378830cc071c68"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T22:42:36.288Z","size_after":38,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":95861,"mtime_before":"2023-03-05T22:41:36.288Z","inode_before":32749,"sha1_after":"3de4516b98243867840fe57ef018eacedabbe82a","changed_attributes":["tmp"],"md5_after":"79a4915e5f7a11b48f37d139cc4de1df","sha256_after":"cdc695e9286ef36b068d1cfb1abd493777a303bf6fbbf9e27459643b7a72"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T06:09:54.588Z","size_after":22,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":22326,"tags":["tmp"],"sha1_after":"215cd654fa886b658501f4d564824341e2310a6e","audit":{"process":{"name":"/tmp/sample","id":45656,"ppid":32532},"effective_user":{"name":"wazuh","id":11},"user":{"name":"Administrators","id":92},"group":{"name":"ec2-user","id":2}},"md5_after":"8b9ffb797b4622115631a75768b62ea2","sha256_after":"fb25c773a2e28912fcfdf072fa0b7f73a4bd627c6ef280cb26bbab012634"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T05:34:07.400Z","size_after":49,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":11350}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-01T15:52:52.190Z","size_after":5,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":43849,"tags":["tmp"],"sha1_after":"5e3190d8df4df56a91bbfb02d16c4f51dfb5c558","audit":{"process":{"name":"/etc/sample","id":88880,"ppid":34035},"effective_user":{"name":"LOCAL Service","id":33},"user":{"name":"suricata","id":73},"group":{"name":"SYSTEM","id":8}},"md5_after":"3e17c320099502583307602f835dbbbc","sha256_after":"a7daf54f017784b4c3bd5763479fec4da44cb7f18746390c49a6cdab635c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T16:24:11.961Z","size_after":56,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":91991,"mtime_before":"2023-03-05T16:23:11.961Z","inode_before":38539,"sha1_after":"6f1ddb26629776b41517850bb4e181f7133b6648","changed_attributes":["sha1"],"md5_after":"e0332d25ab3a302c58a14415f1e9478c","sha256_after":"b549dcc8f70e4c6b84006b34f3fc86f71bf8868b8b5a937c0b4d3409ed40"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T16:19:39.236Z","size_after":27,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":77944,"mtime_before":"2023-03-02T16:18:39.236Z","inode_before":15984,"sha1_after":"a11806081a68910ca655f9a053fbc8a2c7e7b15a","changed_attributes":["sha256"],"md5_after":"4ee5bb6a69c6e037cb8118038a4637e7","sha256_after":"b9b10fe860a3e5761132219e2b15c23b96de8b97c779483025da6238337d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T06:29:31.543Z","size_after":11,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":82275}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T11:38:28.891Z","size_after":7,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":32280,"tags":["tmp"],"sha1_after":"69b153f998de9ada9338cd22ece6c9258b50e120","audit":{"process":{"name":"/home/user/sample","id":63464,"ppid":75057},"effective_user":{"name":"wazuh","id":44},"user":{"name":"root","id":10},"group":{"name":"LOCAL Service","id":93}},"md5_after":"a241a84c63d81e92ea80171f6cbf5689","sha256_after":"6468bc8b4bd1d10270decfd473a30e48b30b085ae84f729d56c215f052f8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T07:52:25.575Z","size_after":52,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":55292,"tags":["tmp"],"sha1_after":"d8ce35d1a1d9349f2b03847957c52c17d6d0f33b","audit":{"process":{"name":"/home/user/sample","id":98891,"ppid":25271},"effective_user":{"name":"SYSTEM","id":46},"user":{"name":"Administrators","id":26},"group":{"name":"suricata","id":17}},"md5_after":"5f56cceb1cfa888f9ee83d69a484cc3d","sha256_after":"dcb7b8fc886340a41c2100e4ba93403f3e071732e9b06eeccf96b8520768"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T01:08:53.565Z","size_after":44,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":22297}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T20:09:18.883Z","size_after":31,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":74602,"mtime_before":"2023-03-06T20:08:18.883Z","inode_before":49344,"sha1_after":"72a7fc596d12feb0028b45f0d54798b9c97595a7","changed_attributes":["size"],"md5_after":"ec978c316c5f6d2bd8f25b6b9052a0e5","sha256_after":"a5480ea351fce1c01fcede67a1ccb28b5f9fe2ecb1aa9b04e1ca4f9edc9a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T16:08:15.460Z","size_after":10,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":57610,"tags":["tmp"],"sha1_after":"c9d3ef765c1bf0d3b5352ce70dbc301df37be5ae","audit":{"process":{"name":"/home/user/sample","id":58263,"ppid":8368},"effective_user":{"name":"SYSTEM","id":67},"user":{"name":"LOCAL Service","id":76},"group":{"name":"NETWORK Service","id":92}},"md5_after":"1fd13d70504e034180be97e1bffb2a93","sha256_after":"87abd72c35177f8180bcc7f05fcda4b4b7f6a8485bdd93f7b0a1b9a49561"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T18:17:56.527Z","size_after":65,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":65246,"mtime_before":"2023-03-07T18:16:56.527Z","inode_before":44180,"sha1_after":"7788860d74b022838a083bfba12b718d5723845f","changed_attributes":["mtime"],"md5_after":"1449afe28d63a59b100acb3784eb0075","sha256_after":"58b364bd9f7d34acd2ee9b0051ad4fee2c4a9a90fdb0fbae387a364c8f7e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T20:11:07.144Z","size_after":50,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":82670,"mtime_before":"2023-03-05T20:10:07.144Z","inode_before":49932,"sha1_after":"571008f4bc93ce5bb95a73b5e66a301a06714029","changed_attributes":["mtime"],"md5_after":"372489c97174ac61a5e3b81178f44989","sha256_after":"8c97157816f50205f01c2cca674ceb53855d9b990f2aabef6801731721cd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T03:14:08.925Z","size_after":63,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":5803}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T00:20:36.843Z","size_after":16,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":31087,"tags":["tmp"],"sha1_after":"6f56e26f22fa8010ea7d843396e42dabb524f518","audit":{"process":{"name":"/etc/sample","id":71569,"ppid":26553},"effective_user":{"name":"ec2-user","id":20},"user":{"name":"wazuh","id":10},"group":{"name":"NETWORK Service","id":92}},"md5_after":"5f074e93308ef192fe3b1dbc1ba7d73d","sha256_after":"7c1d2e51fcc69c1cc751065a6acbbd8962ebe3b7ef0ce65a4134e6c99c7c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-08T01:11:02.146Z","size_after":12,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":92509}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T19:14:49.388Z","size_after":19,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":47263,"tags":["tmp"],"sha1_after":"19986965d1ee1ec8bf2af03705927166d100b56e","audit":{"process":{"name":"/tmp/sample","id":16900,"ppid":27788},"effective_user":{"name":"ec2-user","id":57},"user":{"name":"suricata","id":2},"group":{"name":"root","id":100}},"md5_after":"165f4dfbb4a8219fa59b08c3dbf578bb","sha256_after":"07d5700eb492de4d23c0e0fa03d21192c84366285eeb291c2856463517bc"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T20:49:04.788Z","size_after":11,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":18559,"tags":["tmp"],"sha1_after":"b96671c7f9d1d049bd329c2888f465c3f9e18687","audit":{"process":{"name":"/tmp/sample","id":93051,"ppid":11378},"effective_user":{"name":"root","id":36},"user":{"name":"Administrators","id":46},"group":{"name":"LOCAL Service","id":2}},"md5_after":"9847b56c0cd37545a1f8deef17314014","sha256_after":"2bd5cd111617fd1dd8acd723d57477d3b88541a63e468399541e6d92dd94"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T12:57:50.629Z","size_after":57,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":18475}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T14:24:39.829Z","size_after":54,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":57339,"mtime_before":"2023-03-06T14:23:39.829Z","inode_before":14305,"sha1_after":"6ca4d1dffe348ce24e5fb07285b27b366da80134","changed_attributes":["sha1"],"md5_after":"d8927f9f245b3b54da9ab661de627291","sha256_after":"664ee884ee697cf52254e5f2e499ae0a2944a0aa564f9bac53b4a266f679"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T07:01:47.017Z","size_after":38,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":32571,"tags":["tmp"],"sha1_after":"dbbfb76d69111cc6e498b5ba1a74f05673984054","audit":{"process":{"name":"/tmp/sample","id":12725,"ppid":85247},"effective_user":{"name":"NETWORK Service","id":16},"user":{"name":"Administrators","id":38},"group":{"name":"LOCAL Service","id":55}},"md5_after":"89506e2499ca62aa4d0835c02e638999","sha256_after":"83479ddab11a543396a1ba33d04eaad4903c5be422ea59c1f531009386fa"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T16:07:49.749Z","size_after":5,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":15817,"mtime_before":"2023-03-02T16:06:49.749Z","inode_before":37161,"sha1_after":"2ccbad39d27d8fc9bc0d088aa154af33091dc354","changed_attributes":["size"],"md5_after":"44071e9f76ddb7a18374e5f10ed10d29","sha256_after":"5420f4cceb0c1b153bc83fd1679742e9bb5d11011aa0a85b749208369d92"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T13:48:37.992Z","size_after":39,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":38573,"tags":["tmp"],"sha1_after":"11204d84655bb5a5868f53790b224e673c036f59","audit":{"process":{"name":"/etc/sample","id":13626,"ppid":15471},"effective_user":{"name":"LOCAL Service","id":69},"user":{"name":"wazuh","id":20},"group":{"name":"LOCAL Service","id":39}},"md5_after":"69fa8d17e544313b94189caab0a19dad","sha256_after":"a01831af3edfb8988284100bfd4ba00f09361834083774115b91d71928de"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T17:08:59.634Z","size_after":17,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":48815}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T20:27:39.444Z","size_after":12,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":19130}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T12:51:25.409Z","size_after":59,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":18040,"mtime_before":"2023-03-07T12:50:25.409Z","inode_before":94995,"sha1_after":"70e8d7a1fa5f7ee4437a5bf5345110afbd5917af","changed_attributes":["tmp"],"md5_after":"02a154d9ee817f70f2f2389c675abda7","sha256_after":"b63dba61b5fbfb276bea6aba6fc957ba33cf9da5863071f1c7575a2b967a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T09:58:10.875Z","size_after":2,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":29464,"tags":["tmp"],"sha1_after":"93cbf235ef495dc73119fbf0d98dd630512e84f1","audit":{"process":{"name":"/tmp/sample","id":90196,"ppid":70811},"effective_user":{"name":"wazuh","id":13},"user":{"name":"Administrators","id":12},"group":{"name":"suricata","id":60}},"md5_after":"f3d528f72cbe4f94a81299cf59cb7f40","sha256_after":"4a63e8014bee722ebab92d48e74834ba71ef320cb15c10f673569c949a16"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T11:22:25.561Z","size_after":53,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":86737,"tags":["tmp"],"sha1_after":"8fff1a2269ee0e880eb7b05141e64acdeac03d1f","audit":{"process":{"name":"/etc/sample","id":16315,"ppid":90714},"effective_user":{"name":"SYSTEM","id":53},"user":{"name":"ec2-user","id":38},"group":{"name":"root","id":75}},"md5_after":"55d21205be8888b8cc91a0699c0b56e7","sha256_after":"34a3306bb700e417bfa1bf3bbe8b44442fbdddba3d115ce4fd684300ddee"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T04:16:50.228Z","size_after":7,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":20155,"mtime_before":"2023-03-07T04:15:50.228Z","inode_before":1732,"sha1_after":"10284e5295297b9307df0f4ff4d013039ebf58a5","changed_attributes":["mtime"],"md5_after":"1ab4c67484c882a9fff45495287d085b","sha256_after":"564e999e822ee384ab8e4a551db968a06583f88834ccc055adcfb48e6c96"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T23:02:06.364Z","size_after":55,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":48102}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T17:33:42.066Z","size_after":6,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":95662}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T09:48:37.340Z","size_after":25,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":91140,"tags":["tmp"],"sha1_after":"4de9db5875c6a1b4a73f365706958264b2d86fce","audit":{"process":{"name":"/home/user/sample","id":15786,"ppid":15915},"effective_user":{"name":"root","id":77},"user":{"name":"wazuh","id":93},"group":{"name":"ec2-user","id":91}},"md5_after":"ba8522a6088be34adcce27f461ebd55b","sha256_after":"3b9974d74e06b4417fe86c32eb2cade013abe80f2fff7363d385754eafa0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T22:39:11.086Z","size_after":4,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":65581}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T19:09:07.715Z","size_after":14,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":60185}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T07:22:27.317Z","size_after":34,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":91985,"mtime_before":"2023-03-02T07:21:27.317Z","inode_before":568,"sha1_after":"1fde8a15836a34ade8d9a0ef55e1905500c0ef44","changed_attributes":["sha256"],"md5_after":"f603e763c725d805fd70b98f6fda1d5c","sha256_after":"3fdb04422460ef161afa7725193356ef71909fef9cd3545650a5a53906a8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T00:39:50.125Z","size_after":57,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":93560}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T02:22:18.227Z","size_after":17,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":54889,"tags":["tmp"],"sha1_after":"a62fb5b46e2323a475f58ce4cf730a7380dd370e","audit":{"process":{"name":"/tmp/sample","id":34790,"ppid":91600},"effective_user":{"name":"NETWORK Service","id":85},"user":{"name":"suricata","id":0},"group":{"name":"root","id":35}},"md5_after":"be741398796889231d2c63b81a63f7a1","sha256_after":"9fe59b090adb3cf2901d7d4bc05501740265caeb8ac41daca2cae9d83f38"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T13:53:50.566Z","size_after":59,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":54393,"tags":["tmp"],"sha1_after":"1f1f22471fee465e5a226d09c8b84044ded049db","audit":{"process":{"name":"/etc/sample","id":64029,"ppid":7147},"effective_user":{"name":"LOCAL Service","id":47},"user":{"name":"LOCAL Service","id":91},"group":{"name":"Administrators","id":91}},"md5_after":"0ff2ec44159ec4200cc77008e4059152","sha256_after":"ddd3de3e367f53f8cea806a8ea7e820eab91ae2e8fe14a56559bafbc893c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T14:58:14.509Z","size_after":56,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":48920,"tags":["tmp"],"sha1_after":"05f2a7fae6ed729e725f146622cf0a1c512271b1","audit":{"process":{"name":"/etc/sample","id":41948,"ppid":36478},"effective_user":{"name":"NETWORK Service","id":95},"user":{"name":"ec2-user","id":84},"group":{"name":"ec2-user","id":47}},"md5_after":"4f2419e36841689db3785f7df15bf4c6","sha256_after":"b6a4d121d9756d89c2e1df00ec079e7aa9382f252c3df22e05ca6c848c51"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T01:07:22.035Z","size_after":56,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":79140,"mtime_before":"2023-03-04T01:06:22.035Z","inode_before":61336,"sha1_after":"20d7800cf356108199bd93178efcc23e5d8fee47","changed_attributes":["inode"],"md5_after":"d3a6b28282a7c14dbc7304a8fbfc1b14","sha256_after":"e71be8195eb1984e74bbe9e3a754a0922ed5d5ccf445457255ca6a22a65a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T03:23:46.185Z","size_after":34,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":88534,"tags":["tmp"],"sha1_after":"0880ec2e4ec9284721d6fdbfb1230d21e709a38a","audit":{"process":{"name":"/tmp/sample","id":97191,"ppid":21278},"effective_user":{"name":"NETWORK Service","id":61},"user":{"name":"suricata","id":60},"group":{"name":"SYSTEM","id":19}},"md5_after":"70f30efce2d3b431d426653347538a61","sha256_after":"04a33202a16d4b3baf7a924726f0cec431270a0623fe3449cba5034dd881"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T02:54:33.472Z","size_after":27,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":47186,"tags":["tmp"],"sha1_after":"b787a50a2ce2d32516ceac7854e35dab86a0640c","audit":{"process":{"name":"/etc/sample","id":50635,"ppid":53751},"effective_user":{"name":"ec2-user","id":38},"user":{"name":"suricata","id":30},"group":{"name":"wazuh","id":86}},"md5_after":"819cf3abd286bf74676bef71b6880302","sha256_after":"a8f18a61746a647903322d94ab54609c8b4330a4b3b98807a4f799143917"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T07:17:36.555Z","size_after":32,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":3023,"mtime_before":"2023-03-03T07:16:36.555Z","inode_before":73348,"sha1_after":"f73aadbfaa0b2c8311327b9f3c926ae321378346","changed_attributes":["sha1"],"md5_after":"34be9eb5c516ee4954152c5261489c92","sha256_after":"de51c83eeb9af61fe0070ebb15e49274fc6b8d3bae5dbf67a961398f3564"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T18:44:04.735Z","size_after":21,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":97068,"mtime_before":"2023-03-02T18:43:04.735Z","inode_before":40285,"sha1_after":"71ca1419b5d180411d8a10884cd77ebfc410943c","changed_attributes":["tmp"],"md5_after":"c6947cfb130892f9f1e5c9aabcead69f","sha256_after":"2b0f2d431b2f00d2c9ed18b612b41ffd6674e06ec9b47a392f6e36f819f3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T00:30:52.282Z","size_after":53,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":59359,"tags":["tmp"],"sha1_after":"386a0b543fa9d6d4456d59a9a73822a4a25bb2c2","audit":{"process":{"name":"/home/user/sample","id":10662,"ppid":1316},"effective_user":{"name":"wazuh","id":50},"user":{"name":"ec2-user","id":75},"group":{"name":"Administrators","id":69}},"md5_after":"30163e7559e36352495cdc2e3ba034d9","sha256_after":"e1e5718c9bbee7c0a9fa9b97354aec7537fe23bc406afd0b20ed985d88b1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F4","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T11:01:56.763Z","size_after":64,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":94572,"mtime_before":"2023-03-05T11:00:56.763Z","inode_before":83472,"sha1_after":"4003f9e3b3e812ab8af9398866da6e11855dc0c8","changed_attributes":["sha1"],"md5_after":"caae3370345a54f9b304838047a04f44","sha256_after":"80004d15258164fafd47846cc4904aae227cb1d69c0a21799bc452af4fd1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T04:59:37.649Z","size_after":26,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":74398}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T16:47:29.179Z","size_after":29,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":33478,"tags":["tmp"],"sha1_after":"50d4e69aacff32ed2f4d51f86bea4bbf9c6c475c","audit":{"process":{"name":"/tmp/sample","id":37892,"ppid":70901},"effective_user":{"name":"ec2-user","id":63},"user":{"name":"suricata","id":79},"group":{"name":"wazuh","id":7}},"md5_after":"fe6603c36b2cd50673b32633f16a240b","sha256_after":"1012182deca0cf21aa57a05b49c3c334b895927fc855767f53ba1590b7f3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T09:32:47.180Z","size_after":3,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":2732,"tags":["tmp"],"sha1_after":"a0607f344a509dde9ae3b3413c20ba5e398f84e8","audit":{"process":{"name":"/etc/sample","id":16626,"ppid":28486},"effective_user":{"name":"suricata","id":93},"user":{"name":"SYSTEM","id":84},"group":{"name":"Administrators","id":61}},"md5_after":"774082098b64f305ad5b5eda25950c99","sha256_after":"c597ffb713d35b1ab2aa34e13e5ffb8f3868b3580949c3a5a815498afe8f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T06:50:53.549Z","size_after":8,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":17894,"mtime_before":"2023-03-07T06:49:53.549Z","inode_before":47698,"sha1_after":"ae150c3c6645381aedb6794521b64b777fea260f","changed_attributes":["inode"],"md5_after":"62a0dd7e99d58309624637a2d8386fa3","sha256_after":"f3f7525aa02cba455a1f1b627f8ef39c9b310a20280229010fbc1156dd02"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T22:38:54.773Z","size_after":24,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":14218,"tags":["tmp"],"sha1_after":"e9f553e3a87233c09005339380495188ff121053","audit":{"process":{"name":"/tmp/sample","id":86481,"ppid":45391},"effective_user":{"name":"SYSTEM","id":67},"user":{"name":"wazuh","id":47},"group":{"name":"wazuh","id":49}},"md5_after":"3f392c826148c11d85912f03a7a42fee","sha256_after":"5c05ba2bd75a4cc36cce2bfc11203f2acfb5c4273c80c0ecba23fc3b4b82"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T13:40:51.922Z","size_after":30,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":76299,"tags":["tmp"],"sha1_after":"5ec66144e5b46f717e8e16282bf0b1d305676eee","audit":{"process":{"name":"/tmp/sample","id":34128,"ppid":97396},"effective_user":{"name":"Administrators","id":80},"user":{"name":"SYSTEM","id":74},"group":{"name":"suricata","id":11}},"md5_after":"23483c72849600d7c329c32fb14c8968","sha256_after":"80e4eb301ca3c64851ad8b34fe8d4fa226d5d561ca2aabd4a2813b5fa34e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/log/lastlog","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T03:11:29.498Z","size_after":56,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":60608,"tags":["tmp"],"sha1_after":"1d1695d8dd036b49cb419fa8de971719f62446dd","audit":{"process":{"name":"/home/user/sample","id":88942,"ppid":59038},"effective_user":{"name":"NETWORK Service","id":81},"user":{"name":"Administrators","id":78},"group":{"name":"suricata","id":93}},"md5_after":"46aac3720afd96c1c5f796b73d37b3bf","sha256_after":"b251e10331d0bb885b4a740f2fecb4ab8705dee0153d6ead36b4b19fc760"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T22:28:53.344Z","size_after":15,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":25507,"mtime_before":"2023-03-01T22:27:53.344Z","inode_before":33461,"sha1_after":"b84a67f764f0106bde7c1c705ab4f2e7994cfd50","changed_attributes":["md5"],"md5_after":"80f798f698a4099deba76958dd7ef9d7","sha256_after":"3235971141a4b1a20354a7250c533e369e3c32a39a8599ea31107083b7a8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T23:19:17.189Z","size_after":49,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":19225}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T21:21:50.262Z","size_after":12,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":68575,"tags":["tmp"],"sha1_after":"f7804358c52d8e31d6dd443d98f93713c03ebf3d","audit":{"process":{"name":"/tmp/sample","id":22198,"ppid":54596},"effective_user":{"name":"wazuh","id":62},"user":{"name":"SYSTEM","id":21},"group":{"name":"Administrators","id":83}},"md5_after":"a9c7300ba29cf14146a243574fe1dd70","sha256_after":"c8149d3dbe2b5e03f87e37252c471baf103d3926127137cc14ff49e79ab4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T13:58:54.284Z","size_after":19,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":81311}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T16:34:21.173Z","size_after":49,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":95260,"tags":["tmp"],"sha1_after":"85aeeeb8f6d11982792f92b2289a5965b3abe799","audit":{"process":{"name":"/home/user/sample","id":55953,"ppid":68510},"effective_user":{"name":"wazuh","id":75},"user":{"name":"LOCAL Service","id":87},"group":{"name":"LOCAL Service","id":34}},"md5_after":"f45122ed9999824e4473d507ce28cec5","sha256_after":"f7255cea9a783a2b41dbc5ccf8fcf3e2b60a9dbc82feeeb8e627fe0a6ec5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T07:48:43.912Z","size_after":26,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":60510,"mtime_before":"2023-03-04T07:47:43.912Z","inode_before":96160,"sha1_after":"ee00a50a0e57f9f19e2237af047c33a8d930f200","changed_attributes":["tmp"],"md5_after":"caabc04ff1869a25e7070d04fde75f32","sha256_after":"f8b27d750642c136106ce92546a2d7ed8d27088cb27a058dcd66bb0e3faf"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T11:20:06.201Z","size_after":50,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":47779,"mtime_before":"2023-03-05T11:19:06.201Z","inode_before":42635,"sha1_after":"cd6d212025fda439d30212fede1b838e2017de85","changed_attributes":["size"],"md5_after":"d30e99375345dc0a07f9963ed791dcd8","sha256_after":"21b3aae1cea7e1387f2ef4d8e388f7132def7e0be9c9f0ae14e58d809b6b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T15:52:00.318Z","size_after":11,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":43553}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T19:25:06.129Z","size_after":35,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":25553,"tags":["tmp"],"sha1_after":"d904e2f522de99dda1915dac36c3e94deff87813","audit":{"process":{"name":"/etc/sample","id":41171,"ppid":64741},"effective_user":{"name":"SYSTEM","id":32},"user":{"name":"Administrators","id":75},"group":{"name":"suricata","id":34}},"md5_after":"f8a7a20de215d0114f99fc3bb6cbc3df","sha256_after":"a0cde1bdc83223a6f1dbd8aa00cc60fb5f7d43bf317397aadd75ec6816ab"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-01T21:18:06.572Z","size_after":21,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":32608,"tags":["tmp"],"sha1_after":"2494529d629b1cc858f4fdd650f53f4abb6d0e41","audit":{"process":{"name":"/etc/sample","id":13007,"ppid":43634},"effective_user":{"name":"wazuh","id":5},"user":{"name":"Administrators","id":59},"group":{"name":"Administrators","id":27}},"md5_after":"bbccec1e69aa234368c23d84887dcb2e","sha256_after":"8a8581033bc10a883a3300313c989b12b69ad647214ed14b3a501e44b01d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T14:20:31.795Z","size_after":65,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":95235,"tags":["tmp"],"sha1_after":"17b17ee5f669dee62d1bbcf352ff228ede1b7b0c","audit":{"process":{"name":"/tmp/sample","id":29237,"ppid":77497},"effective_user":{"name":"wazuh","id":72},"user":{"name":"Administrators","id":78},"group":{"name":"ec2-user","id":78}},"md5_after":"6b41a4ecb78602756272dfb292bb1c6b","sha256_after":"58c0173b6381e1e6fa64d241c8ebcf696d48704934051e00dcfe7d73cdd3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T20:59:24.178Z","size_after":64,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":27900}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T17:09:36.489Z","size_after":2,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":23438,"tags":["tmp"],"sha1_after":"f96e36069b78c2aff1c00cb386664c12f5780b4f","audit":{"process":{"name":"/tmp/sample","id":94791,"ppid":72995},"effective_user":{"name":"NETWORK Service","id":2},"user":{"name":"ec2-user","id":40},"group":{"name":"LOCAL Service","id":49}},"md5_after":"ee6c69ca75ec72df8d807e61ccc3e45d","sha256_after":"9d6abea7dcd26d08746a210689da5d4e120b3d05ba366b026a4fa0eb8b87"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T01:14:27.091Z","size_after":1,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":11225}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T22:24:59.666Z","size_after":54,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":94769,"tags":["tmp"],"sha1_after":"56d230ba165a2c529493bfaf2b6b910237fdd03c","audit":{"process":{"name":"/tmp/sample","id":22848,"ppid":30678},"effective_user":{"name":"LOCAL Service","id":63},"user":{"name":"root","id":96},"group":{"name":"SYSTEM","id":73}},"md5_after":"2cc1ac6155b750c2b2513d76decc43a8","sha256_after":"924e8482be387deb56913e791a2f00af22796b5ff80da3494d7b16d2fdca"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T22:55:01.059Z","size_after":7,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":51845,"mtime_before":"2023-03-04T22:54:01.059Z","inode_before":97882,"sha1_after":"d5e9bfdfecc52ce2870d559f6406c4c248123ffb","changed_attributes":["tmp"],"md5_after":"849b35329b7436aad10c7a0af689695e","sha256_after":"b9946d0639ac092f2f91b9fa10f94b254eba7ed93e819482b59f40c1759d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T03:39:25.688Z","size_after":37,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":99515}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T13:37:31.411Z","size_after":42,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":42171}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WinDefend","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T23:38:42.730Z","size_after":52,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":53709,"tags":["tmp"],"sha1_after":"87edda8da35fbc711d69e84e78e8084862f7132e","audit":{"process":{"name":"/home/user/sample","id":57368,"ppid":33966},"effective_user":{"name":"Administrators","id":58},"user":{"name":"Administrators","id":83},"group":{"name":"root","id":94}},"md5_after":"685f0d9554f2a9047362ffeba99858c3","sha256_after":"c0aa9d9a76d4e6d9cdaf7ca996a8465904059332563f21c7ccf9d07822ad"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T13:47:01.399Z","size_after":25,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":49013,"tags":["tmp"],"sha1_after":"ac6983932965cb037c92160f47b5bad146d73fe0","audit":{"process":{"name":"/home/user/sample","id":99047,"ppid":85319},"effective_user":{"name":"SYSTEM","id":93},"user":{"name":"NETWORK Service","id":45},"group":{"name":"suricata","id":83}},"md5_after":"802ae2d7502c3dab201c9b68e1852cd5","sha256_after":"d64b84aecaef146391d93ac26ff1f2b44b5e7cda57ae42c1e63389e1613e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T00:19:00.052Z","size_after":24,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":38024,"mtime_before":"2023-03-04T00:18:00.052Z","inode_before":94098,"sha1_after":"4f9f3b75fe3771bdc3e15d6ba0c190595f2ee3bc","changed_attributes":["size"],"md5_after":"1319ba0ec1de35e75c9d4ce7efcb3d76","sha256_after":"021cc5dffb54391d69f9601851114a4562fdfa6c67b9e11a0b60acd70469"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T00:56:01.266Z","size_after":21,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":3131}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T18:31:47.563Z","size_after":25,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":65930,"tags":["tmp"],"sha1_after":"1293c093f5406b4c5300a9b845ef3e42fbbe94f8","audit":{"process":{"name":"/home/user/sample","id":84327,"ppid":47884},"effective_user":{"name":"LOCAL Service","id":82},"user":{"name":"LOCAL Service","id":28},"group":{"name":"NETWORK Service","id":14}},"md5_after":"5547b60a4353c134532aec4a8d71a09c","sha256_after":"e03311634b657f43c3eef47f6611f1f9af3f6dd44ce60aeb9ff4608d50e7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T08:13:14.609Z","size_after":42,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":48001,"mtime_before":"2023-03-07T08:12:14.609Z","inode_before":94759,"sha1_after":"5227fe010094a53ff23c2b3f1dcb38c58f90dd8a","changed_attributes":["inode"],"md5_after":"273bb4edea34cb06181c3a6e7aa2df19","sha256_after":"66230ab5cf186186e9daba06363c684ac7fac8706f3cd79fb1f31e8df159"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T05:55:39.794Z","size_after":34,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":16512}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T16:08:28.087Z","size_after":35,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":5147,"tags":["tmp"],"sha1_after":"01981a9d4536ccddf467289f40f174b49ef300ff","audit":{"process":{"name":"/etc/sample","id":94968,"ppid":31559},"effective_user":{"name":"ec2-user","id":88},"user":{"name":"root","id":55},"group":{"name":"LOCAL Service","id":58}},"md5_after":"0a5cfbf103d3465ee72c8ea2144b52c3","sha256_after":"5b6c915000c57f209c70be4cab96f71329cb8912845a1112ac9321e88865"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/filebeat/fields.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-08T04:46:50.582Z","size_after":36,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":22000}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T13:13:00.912Z","size_after":39,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":42653,"tags":["tmp"],"sha1_after":"0cb2cebac1b6f2e57cfedcb7413fc9e8c461f7e6","audit":{"process":{"name":"/tmp/sample","id":48882,"ppid":87889},"effective_user":{"name":"root","id":20},"user":{"name":"NETWORK Service","id":72},"group":{"name":"LOCAL Service","id":31}},"md5_after":"18e199c864afbf426e06813a7d4d6870","sha256_after":"4e2dc253d93145c3392da4806b564435f69c7cebbf1dd6701aee7e045f66"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T06:00:45.544Z","size_after":52,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":7492}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T21:37:03.720Z","size_after":35,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":98044,"tags":["tmp"],"sha1_after":"82c4c58198a5d4946d965add3aaf67d5dd9daeff","audit":{"process":{"name":"/tmp/sample","id":90822,"ppid":306},"effective_user":{"name":"wazuh","id":27},"user":{"name":"SYSTEM","id":15},"group":{"name":"root","id":0}},"md5_after":"ff234a0ed77dc3c96eb0e859008e273e","sha256_after":"89f2bb719c3a0ef8836d21c46e96c82950f679c2513e734ee28ce3baf79c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-856620481-996501011-1859314257-500","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T09:31:44.254Z","size_after":58,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":33396}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T13:00:16.382Z","size_after":21,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":27096,"tags":["tmp"],"sha1_after":"ea2590c4b1b8f43da60ba4e13bb127ad4d8f8b81","audit":{"process":{"name":"/home/user/sample","id":73257,"ppid":75756},"effective_user":{"name":"SYSTEM","id":59},"user":{"name":"wazuh","id":69},"group":{"name":"NETWORK Service","id":83}},"md5_after":"7fa15cbcd3f3f4303c52fd55a04502da","sha256_after":"37ba1020272b5ba78ac6c4e25fdad99387ef0ef5b5de9bf7d7310d5620ad"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T15:48:20.204Z","size_after":10,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":18596,"tags":["tmp"],"sha1_after":"80451e588eb58bfd6fb7dbcecfd251bca5a9341f","audit":{"process":{"name":"/tmp/sample","id":72737,"ppid":89156},"effective_user":{"name":"SYSTEM","id":13},"user":{"name":"suricata","id":93},"group":{"name":"SYSTEM","id":18}},"md5_after":"d6e8c1ca9b8aef1be26ddb012f2012bd","sha256_after":"28b6628c0f846ddedba182dd303e072616eea5a04f4043a06637214adb22"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T17:50:46.152Z","size_after":39,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":94481,"mtime_before":"2023-03-06T17:49:46.152Z","inode_before":56121,"sha1_after":"685e81c7359e38b7c91cb7da40ae9b93d9cde363","changed_attributes":["md5"],"md5_after":"0566d90113867cd0a8c9da2554e87e9b","sha256_after":"f8f1f3b7f57c62cd71109ffe089098d06a249b077a83c1cd076d46dc255f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\wazuh-agent.state","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T05:21:37.463Z","size_after":8,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":60626}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T02:34:38.639Z","size_after":61,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":20570,"mtime_before":"2023-03-08T02:33:38.639Z","inode_before":73061,"sha1_after":"3b4ee34b08d8ea53ff7d399d050336bbf837e29d","changed_attributes":["md5"],"md5_after":"a3ccd73bcfa0992a05c1886db8409bc2","sha256_after":"af7ac4ba5a9fa478fcb9ae3b775493db6344071084de0d0227e2d187d97d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T23:05:30.910Z","size_after":8,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":8064,"mtime_before":"2023-03-04T23:04:30.910Z","inode_before":71978,"sha1_after":"0f4d6e5f52ceb9b86ddf2f271adbcb4207adb1ad","changed_attributes":["tmp"],"md5_after":"a898d4e70cca03aace0395c1e173ca81","sha256_after":"4c6a901fa53565916fcb4380e8ec01acc6ed25aa5ca7b0c7407d1f70e1c9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T07:09:40.553Z","size_after":43,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":23853,"mtime_before":"2023-03-04T07:08:40.553Z","inode_before":72583,"sha1_after":"7e07d1930eb0984df9b38601eace3469a5d0e254","changed_attributes":["sha1"],"md5_after":"6d12c52043bb7f7a24ba82466a71e0d4","sha256_after":"c34c069b4fa74c3cbd94d7b9bb57b0c21cdb6fa0d2c35185261947c518a8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-08T08:22:53.199Z","size_after":52,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":88026,"mtime_before":"2023-03-08T08:21:53.199Z","inode_before":90052,"sha1_after":"0e51cdf342538e4fa1bd2576d853b70660a16d63","changed_attributes":["inode"],"md5_after":"3c464f835f4929a17d009736ea1ef64c","sha256_after":"b369b86b4aecae712e0ab21999782a0ee8e8dbd171e7abf032aaa828a68b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T02:44:01.608Z","size_after":58,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":49738,"tags":["tmp"],"sha1_after":"f9e6ad211b7dacc3e75b0dfc589265d907eda3df","audit":{"process":{"name":"/tmp/sample","id":17288,"ppid":77941},"effective_user":{"name":"Administrators","id":99},"user":{"name":"wazuh","id":47},"group":{"name":"Administrators","id":29}},"md5_after":"172c1420b947f8aae14ea102f15642ff","sha256_after":"4df95e5a7f694b4364f68b531be1f48507140389b0922921efebe6b07ba2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T00:18:45.944Z","size_after":43,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":51197,"tags":["tmp"],"sha1_after":"1bff46943984c59de5339b1d1bdf7fc19f5227e7","audit":{"process":{"name":"/etc/sample","id":95743,"ppid":6890},"effective_user":{"name":"root","id":69},"user":{"name":"wazuh","id":54},"group":{"name":"LOCAL Service","id":47}},"md5_after":"388e5e56f7329428ee63e55a256981e7","sha256_after":"2a9c35b6a846762d9f8aa07777b7b1ea1e1a988177dd5cfab0697befa703"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T12:20:07.499Z","size_after":53,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":25565}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T15:25:48.728Z","size_after":19,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":66789,"tags":["tmp"],"sha1_after":"7eb7263aff4f0102c34a61c08a2f09cd455f11ac","audit":{"process":{"name":"/tmp/sample","id":4777,"ppid":21951},"effective_user":{"name":"Administrators","id":18},"user":{"name":"wazuh","id":57},"group":{"name":"NETWORK Service","id":8}},"md5_after":"9fa3749fc09fd859573294bcbd944236","sha256_after":"189191517715e3a49a9fe3f57bd88fcb51e1a131aaa01182e1e9394240e7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T11:51:54.370Z","size_after":28,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":56440}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T10:04:14.503Z","size_after":32,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":11566}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T23:52:24.184Z","size_after":55,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":66478}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T15:41:53.362Z","size_after":18,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":64548,"tags":["tmp"],"sha1_after":"3f823a02c4dbc6b64f3c5369b3aba291492c0b29","audit":{"process":{"name":"/tmp/sample","id":34350,"ppid":34346},"effective_user":{"name":"wazuh","id":11},"user":{"name":"wazuh","id":59},"group":{"name":"wazuh","id":81}},"md5_after":"b32d3dbc1ba06d3205ba4eac32f40823","sha256_after":"d9f4b4bc76e019486dbc3bcf691605bceb34ebfdfab7ebaff4f631cb3ce9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5","uname_after":"root","gname_after":"root","mtime_after":"2023-03-01T14:33:03.450Z","size_after":34,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":22632,"tags":["tmp"],"sha1_after":"8b4709844c279a3d9cee6fec42d21b1df7238483","audit":{"process":{"name":"/home/user/sample","id":33901,"ppid":70917},"effective_user":{"name":"LOCAL Service","id":49},"user":{"name":"ec2-user","id":41},"group":{"name":"LOCAL Service","id":65}},"md5_after":"d5767ab0d8c67ad4a10f22cebd8119d0","sha256_after":"ce347309074c972598c793d1b2f3b9df7470d98ff4a746e5ba701b5b3bad"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T02:34:08.630Z","size_after":38,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":2408,"tags":["tmp"],"sha1_after":"292728628f1909697ae3e121d44876cbd5b16e6a","audit":{"process":{"name":"/tmp/sample","id":87202,"ppid":77614},"effective_user":{"name":"suricata","id":55},"user":{"name":"LOCAL Service","id":20},"group":{"name":"NETWORK Service","id":74}},"md5_after":"dcd7a4cbe0bb10933d0079466618dc4c","sha256_after":"008053d2adb568be1f5d21b5b52458d05db24057492419de1cef56d562a8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T04:41:04.660Z","size_after":34,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":46244}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T22:51:31.219Z","size_after":37,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":20592,"mtime_before":"2023-03-03T22:50:31.219Z","inode_before":98544,"sha1_after":"1911e0dda110727d4227aece40b268cffffd257e","changed_attributes":["md5"],"md5_after":"4d563a9d5a717ccf1da23d0b9c1686ae","sha256_after":"b040aebbff34c15f7a24bb3c09cb89f669822393e5feeed7e4b9d2dabe2a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T03:41:43.995Z","size_after":13,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":86431,"tags":["tmp"],"sha1_after":"b9747130f31919c03f179fc6491f87fa1ebb3429","audit":{"process":{"name":"/etc/sample","id":67808,"ppid":79422},"effective_user":{"name":"suricata","id":6},"user":{"name":"suricata","id":6},"group":{"name":"ec2-user","id":51}},"md5_after":"e72bd5a86f37bcdaf1603111d007a9c2","sha256_after":"9140a999e04ccb67ece1fe2756973ef32e9e41782582ec7e99ed32a1a583"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T18:53:34.716Z","size_after":34,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":88857}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T03:29:35.809Z","size_after":19,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":79578}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T17:17:29.821Z","size_after":5,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":56456}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T14:52:34.824Z","size_after":19,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":71421,"mtime_before":"2023-03-07T14:51:34.824Z","inode_before":1637,"sha1_after":"9c36d03c521fee22973303c80ef62fa43aba9f72","changed_attributes":["mtime"],"md5_after":"111c0a75227eef4614d9ad750bcde994","sha256_after":"077359c530bf6438babf11a93be67e695d235f3d70ed0647ad1c1d11dd3b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-08T00:56:37.387Z","size_after":12,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":27526,"tags":["tmp"],"sha1_after":"34fe79cb856fbf82280519a5af073e61f32cff2d","audit":{"process":{"name":"/tmp/sample","id":41095,"ppid":82173},"effective_user":{"name":"suricata","id":98},"user":{"name":"NETWORK Service","id":9},"group":{"name":"LOCAL Service","id":11}},"md5_after":"30aa37217f992ae20dfd5f6fe8969deb","sha256_after":"76f781882e531dd9a56affb1db718d27f6f9abf0819fd5ae46e4dcf5a70b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T13:22:49.685Z","size_after":45,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":91020}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T01:08:41.198Z","size_after":54,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":49732,"mtime_before":"2023-03-07T01:07:41.198Z","inode_before":66260,"sha1_after":"34c97376b0c836ee7cc860413599131d9c6c70ca","changed_attributes":["mtime"],"md5_after":"e07d73b7ea48f6d6a6effa6584dc82fa","sha256_after":"b84d88b61558ab8e8f87072b2a37d059dfd0d0f0a52defe18cbd9100b195"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T03:42:30.528Z","size_after":36,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":87612,"mtime_before":"2023-03-02T03:41:30.528Z","inode_before":98203,"sha1_after":"29fbdff3a4dc63217c45f74d977299279a4bdac3","changed_attributes":["sha1"],"md5_after":"64397b3c6d6e63e8ffdf9cea7eaaf3c0","sha256_after":"16b1fd9b580362a943304470ab7f05fd65fcf054809e1813c77f3b5ae9b5"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T23:31:19.295Z","size_after":37,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":37753,"mtime_before":"2023-03-04T23:30:19.295Z","inode_before":78288,"sha1_after":"67734b8790121128a28e360fdc904dd77c4c0e5c","changed_attributes":["tmp"],"md5_after":"f963ad8e8d0dedf9acac67aed8550cc1","sha256_after":"2fc4a05da36daff82015acca1ad5aba220e588c9cabcfc6de9ec5d725307"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T07:34:57.340Z","size_after":9,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":82570,"mtime_before":"2023-03-07T07:33:57.340Z","inode_before":80402,"sha1_after":"72dbb363f4f1ceb9fd75bfed670eac4ab31c85fc","changed_attributes":["md5"],"md5_after":"f26a20a58f8043e9636436718a62b4b3","sha256_after":"9e8915ae0958068360f6b830a1b04381249ce5cfc5b6bf82b9ecf1e52624"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T20:13:51.718Z","size_after":39,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":69370,"mtime_before":"2023-03-07T20:12:51.718Z","inode_before":23231,"sha1_after":"9e8b36913735f4e9e19e8b3fed66eb3342e2889f","changed_attributes":["inode"],"md5_after":"17104c3f0e7f2e2c340f515487d5ef70","sha256_after":"09948bf26a57404053c411d0c2a50cee3ba552144ab71e511b5986cc062f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T22:39:42.807Z","size_after":43,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":98065,"mtime_before":"2023-03-06T22:38:42.807Z","inode_before":2985,"sha1_after":"2bbb2aceed98dda1f098bbcd6c80f7adfedd7e4b","changed_attributes":["size"],"md5_after":"f19be73acdb4f06dc13b76f4744e8c5e","sha256_after":"3721d8e9d1fd92d3c837ed781f332c6b845928971b5294246f1eae6529bd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T10:29:42.186Z","size_after":52,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":8441}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T15:40:35.314Z","size_after":36,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":48030,"mtime_before":"2023-03-03T15:39:35.314Z","inode_before":83823,"sha1_after":"ea2525284492feed0dd7d4db831e324ba69fa4ad","changed_attributes":["sha1"],"md5_after":"80a26c6596b1aab02d047db2a59f576f","sha256_after":"0ad576d5e03419b9401960b2c5502cf7f2d82ad1859797188bc6665d6458"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T03:27:45.660Z","size_after":18,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":66658,"mtime_before":"2023-03-02T03:26:45.660Z","inode_before":43692,"sha1_after":"da770426e0814799fb110d44d4d9ad1ce0cbe34a","changed_attributes":["sha256"],"md5_after":"7e7c00032beb541d4f0a0f956b1ef064","sha256_after":"8251e99146ec3e7f12e15e96ba0f7581991100536b9341b41a102b717a9f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{54b31d7e-36bf-4bbe-9ab2-106a939cd78c}","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T13:39:21.625Z","size_after":58,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":4534,"mtime_before":"2023-03-03T13:38:21.625Z","inode_before":90625,"sha1_after":"0038d7688bf961b466f1390fb0e33be6b9465de1","changed_attributes":["inode"],"md5_after":"70bac5ea10fb3cb39ecb7e42b6db3381","sha256_after":"391a28c2c0d99a30d399eda792c2e52daa5172ef9723cbc1fff62b39cba2"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T09:17:33.457Z","size_after":61,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":23460,"tags":["tmp"],"sha1_after":"a663c64a68e265917cdcf4d35d8c42a0e5c5d7e0","audit":{"process":{"name":"/tmp/sample","id":96809,"ppid":70202},"effective_user":{"name":"LOCAL Service","id":46},"user":{"name":"ec2-user","id":91},"group":{"name":"SYSTEM","id":30}},"md5_after":"7c605859bf51e5abdb2d2e5bfb74fb58","sha256_after":"987e1682a700987930a25be5ad722b2d1c3f42da884d0365331cc9fd6fb6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T04:52:24.611Z","size_after":31,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":49296,"tags":["tmp"],"sha1_after":"4d214a0a48d02ae1244a6ba527d54af8da5c7968","audit":{"process":{"name":"/home/user/sample","id":18344,"ppid":5283},"effective_user":{"name":"Administrators","id":73},"user":{"name":"Administrators","id":27},"group":{"name":"NETWORK Service","id":2}},"md5_after":"bcc0eee24065bb56d28da92b65eb72f0","sha256_after":"7e4f3f94cf94d0e6cb3a3c532bc45f3cb87d71a77bedea30d502bdbc0caa"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T13:10:46.471Z","size_after":18,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":29837}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T05:56:10.162Z","size_after":31,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":21062,"mtime_before":"2023-03-05T05:55:10.162Z","inode_before":64709,"sha1_after":"a6d9a6335d3481636beecef0a462bdbc14d78085","changed_attributes":["sha256"],"md5_after":"3b64c0ecaf358a0a904b4dfce45f070d","sha256_after":"807ba1c55410d587bd3b1f7d1915b823036c1f36b9bdcb7e433c2b6a30cc"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T10:50:18.241Z","size_after":2,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":1360,"mtime_before":"2023-03-03T10:49:18.241Z","inode_before":40180,"sha1_after":"cee9c7d671ef81a7aee0dbf7c291f359f3a9d202","changed_attributes":["tmp"],"md5_after":"7904ae87c496414d1bb544ee404d0f06","sha256_after":"4a00f9b1303c426ae78e8862084c5047cfd69b6a4c7a83613c11d663632b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T18:46:54.620Z","size_after":41,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":52421}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T08:01:56.995Z","size_after":13,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":66844,"tags":["tmp"],"sha1_after":"7ec13041eb48896bab462344044c92adc917ad14","audit":{"process":{"name":"/tmp/sample","id":44802,"ppid":80386},"effective_user":{"name":"ec2-user","id":30},"user":{"name":"NETWORK Service","id":61},"group":{"name":"ec2-user","id":94}},"md5_after":"70122b11b780a7f1fa306a5ab1e8c9c6","sha256_after":"fd68cd3ca24866c038c3ec70439fa7d728fa1a448a8444f2bc17f747f7a6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T08:33:35.461Z","size_after":53,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":67596}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-03T02:01:58.225Z","size_after":43,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":57265,"mtime_before":"2023-03-03T02:00:58.225Z","inode_before":83700,"sha1_after":"448500ae927ec093de1c7567f5859a3ce2e07891","changed_attributes":["tmp"],"md5_after":"695cd430f197a271429574a2905e9184","sha256_after":"5bebff5a113ca04886921e4d3f5ab7251a86eb414457e799fe74574be588"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T04:26:26.862Z","size_after":51,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":11882}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T16:03:44.357Z","size_after":40,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":27006,"tags":["tmp"],"sha1_after":"8a11edbb81058b22c575adb197378b188b178d50","audit":{"process":{"name":"/tmp/sample","id":31307,"ppid":12452},"effective_user":{"name":"Administrators","id":33},"user":{"name":"Administrators","id":71},"group":{"name":"Administrators","id":12}},"md5_after":"17ab74da214cfa80dc2ae6ae60cac02c","sha256_after":"c76cb8394cd1cffc1b369c330abd036ab4e8f4149490022abed89ca41ca9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T05:13:44.646Z","size_after":54,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":51134}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T08:47:23.815Z","size_after":52,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":22497,"tags":["tmp"],"sha1_after":"8e43878c707d76ea44d568048ea972aa146a1a0c","audit":{"process":{"name":"/etc/sample","id":40181,"ppid":75569},"effective_user":{"name":"suricata","id":43},"user":{"name":"wazuh","id":57},"group":{"name":"LOCAL Service","id":6}},"md5_after":"f87b41d2f81934071ddc48e3a4b17678","sha256_after":"5fdbdf8009557dbb965a1c24e83b87cd31da71f3c1a996f9fc053bdd8427"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T07:55:06.864Z","size_after":18,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":93179,"mtime_before":"2023-03-06T07:54:06.864Z","inode_before":75288,"sha1_after":"64f43e4d63f2ab588d3ada24418a860088b8b376","changed_attributes":["mtime"],"md5_after":"7a000522d1fcfb2756f6646340f6e340","sha256_after":"e3bb1d1d49f3b2195e85740f65426ec0dc378caddccb7f9297fa1858e50a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T01:08:12.620Z","size_after":51,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":1986,"mtime_before":"2023-03-05T01:07:12.620Z","inode_before":91939,"sha1_after":"a9569b3b9c5e4d36c1e3ca6b6ac72ce623bb5388","changed_attributes":["mtime"],"md5_after":"79e723e2b5a0a5a96331b0130c69173d","sha256_after":"f8275c279d0fc978e0b199212239171c55218f72f3638ac2cd05103fbf4c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T21:48:31.974Z","size_after":28,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":53085}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T10:05:21.337Z","size_after":59,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":90770}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T04:24:51.116Z","size_after":18,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":54250,"mtime_before":"2023-03-07T04:23:51.116Z","inode_before":77784,"sha1_after":"4e600733f3b0c62f06b622f2e68f868bd06876a9","changed_attributes":["sha1"],"md5_after":"ec7447e40c696d48aaf0ce67e226b592","sha256_after":"eb554587bb0ad0b94c45496e7975775789d5f19fb2b56b550f03c1ca5602"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T20:14:47.599Z","size_after":60,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":35950}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-01T21:01:33.175Z","size_after":22,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":23541,"tags":["tmp"],"sha1_after":"8b760daedab9737770065f75d8c7e0d98289eac7","audit":{"process":{"name":"/home/user/sample","id":54923,"ppid":54896},"effective_user":{"name":"NETWORK Service","id":2},"user":{"name":"SYSTEM","id":86},"group":{"name":"ec2-user","id":45}},"md5_after":"87783e61a941c9fa945e2be157af5074","sha256_after":"a04b9511b494e426c451b1d5b751f8b5ebfd90877033eb2566109817fcbe"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-04T13:28:49.354Z","size_after":64,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":4551,"tags":["tmp"],"sha1_after":"570d1bb942b6b7f23856c66f48ff3ef3badcfada","audit":{"process":{"name":"/home/user/sample","id":94644,"ppid":80634},"effective_user":{"name":"ec2-user","id":94},"user":{"name":"wazuh","id":20},"group":{"name":"suricata","id":23}},"md5_after":"3dc3edfbf543c41a5efa944a51eafca8","sha256_after":"bf3d0726b2b17995594c83641caaa2bd1a2ea862299e994c1d90b1b7640a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T18:06:05.527Z","size_after":50,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":4570,"tags":["tmp"],"sha1_after":"34f778857713465674742f71359df023c407c859","audit":{"process":{"name":"/tmp/sample","id":94679,"ppid":99305},"effective_user":{"name":"root","id":79},"user":{"name":"wazuh","id":74},"group":{"name":"NETWORK Service","id":53}},"md5_after":"f327442217b2c314331222980da6b87f","sha256_after":"e578c9ddc4bb8b2a2e663958264d67a271131aa057ead76b224b6fa8d5be"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T02:45:37.516Z","size_after":8,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":14510,"mtime_before":"2023-03-05T02:44:37.516Z","inode_before":11824,"sha1_after":"916866ccae1c81d85c8fe08fb4032abf0aea6ada","changed_attributes":["sha1"],"md5_after":"598d53ec56da9e8c48f2ce692f8081e4","sha256_after":"95878ad99bbc1da75aca23d422a4da0470e66af1aa85a794d0594ed750da"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T19:00:12.822Z","size_after":31,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":78943,"mtime_before":"2023-03-06T18:59:12.822Z","inode_before":37772,"sha1_after":"2916060cb46e1476e0bd3a6b6d2690846694e792","changed_attributes":["sha256"],"md5_after":"7ff0da94224191a547c0de60f0276ae2","sha256_after":"5934282d5cdc6bca859a721cbade82d2b60f0b8552835c3329d53ed57c9d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T10:31:21.518Z","size_after":36,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":82862,"tags":["tmp"],"sha1_after":"96f1213f3d9973c0d68bdbbba108e34d717abb59","audit":{"process":{"name":"/etc/sample","id":84315,"ppid":74224},"effective_user":{"name":"Administrators","id":92},"user":{"name":"LOCAL Service","id":21},"group":{"name":"wazuh","id":52}},"md5_after":"5f508fce4741f1e4cc4d0c65298391fc","sha256_after":"83cdf18d4a51482b3aacec87b44a08a1b4f64e707b880d008c4710d78109"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T07:32:23.236Z","size_after":42,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":60517,"mtime_before":"2023-03-04T07:31:23.236Z","inode_before":41945,"sha1_after":"6c9b75e913e1b84767c8fe0cb10332413d3a9cd7","changed_attributes":["sha256"],"md5_after":"adcfb3b6d1c5b98220e89f561a5db92d","sha256_after":"e3249b719b0da6902a09c83e306378bf9b939da5deaefe33fb539afb63a4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T12:34:12.234Z","size_after":55,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":52700,"mtime_before":"2023-03-01T12:33:12.234Z","inode_before":10952,"sha1_after":"ac96c551fe215f3012ca493d2d28c321ab330c33","changed_attributes":["md5"],"md5_after":"68d148ede85243834dc231d336fd8e08","sha256_after":"7553a64f40c62bb8b7ab7442a6bfd923d2f764be20d0f7e429fe1aaa5aae"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T20:15:36.237Z","size_after":0,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":56879,"tags":["tmp"],"sha1_after":"a95e715fd3014fd458f7ef6fa8998c2e5a585012","audit":{"process":{"name":"/tmp/sample","id":76479,"ppid":41456},"effective_user":{"name":"suricata","id":97},"user":{"name":"root","id":91},"group":{"name":"root","id":19}},"md5_after":"d90503db680740de726c27a9229aa2f9","sha256_after":"e1908c66a013c59848306e9d530112ee7efdfaff43612f98cb5345acb29b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T07:00:27.442Z","size_after":2,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":77105}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T21:39:45.881Z","size_after":38,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":10423,"tags":["tmp"],"sha1_after":"47a9bc1844b0f0f9370063347b33d44b5c1f89d2","audit":{"process":{"name":"/tmp/sample","id":1947,"ppid":4066},"effective_user":{"name":"wazuh","id":28},"user":{"name":"wazuh","id":49},"group":{"name":"root","id":72}},"md5_after":"cfbd4e064ceb22598b4d23e9c1f136b0","sha256_after":"08dc8f5725e1861ecf016b42d33a9fad1462117c2a6b643067ad7f240390"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T19:49:55.782Z","size_after":17,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":43568,"tags":["tmp"],"sha1_after":"2a846ab705cde8218703b92286f5452b82990e6b","audit":{"process":{"name":"/tmp/sample","id":87001,"ppid":49148},"effective_user":{"name":"suricata","id":8},"user":{"name":"NETWORK Service","id":41},"group":{"name":"suricata","id":42}},"md5_after":"457087d537638d2bbe623ace0df0cef5","sha256_after":"19b810e3822312640bbff0e4c355e5308f28f22a34d80540b7495fd1a0aa"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-01T21:28:04.582Z","size_after":21,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":39987}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T13:54:36.477Z","size_after":0,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":33466}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T05:44:47.412Z","size_after":28,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":75014,"mtime_before":"2023-03-02T05:43:47.412Z","inode_before":17015,"sha1_after":"c50ad3cd2df079365efbab412cdb167460864e37","changed_attributes":["mtime"],"md5_after":"5a7b169fccf5321d627777254367520a","sha256_after":"9d4864383bb5e44b8e6c87c17d9cd9047523f13b6a2828111d70f7b0b4be"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T03:29:42.496Z","size_after":47,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":19736,"tags":["tmp"],"sha1_after":"2e7ffe94185e563f840586b665b715fb0bfa4c41","audit":{"process":{"name":"/home/user/sample","id":21606,"ppid":86839},"effective_user":{"name":"suricata","id":88},"user":{"name":"LOCAL Service","id":29},"group":{"name":"root","id":92}},"md5_after":"bd1a2f4efc6332187193c121703d5817","sha256_after":"de33f52a7780230c358486203ced429b46bd3c631b48b97f26796ac75c46"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T01:44:36.726Z","size_after":10,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":20769,"tags":["tmp"],"sha1_after":"edfa6744a1eea81673d314214d04f181ac07c151","audit":{"process":{"name":"/home/user/sample","id":63159,"ppid":43040},"effective_user":{"name":"LOCAL Service","id":13},"user":{"name":"SYSTEM","id":67},"group":{"name":"NETWORK Service","id":31}},"md5_after":"9f3221a4fe0d31223e61de7967f359e7","sha256_after":"c2de0cd245dc6e0a44a39f04439453b0ff83ec49847b4b39d752aaf21e06"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T13:08:11.792Z","size_after":21,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":65239}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T20:13:06.381Z","size_after":22,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":7820,"mtime_before":"2023-03-03T20:12:06.381Z","inode_before":61002,"sha1_after":"9934bd348012d0dbd567aaf3fa27ed621f204cc6","changed_attributes":["size"],"md5_after":"1daab9f47c39faffda2137abf33b441c","sha256_after":"9f3206c35b42e96d1c10437a905db4c8348caa6e5b6d8bf086aec96460bb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\Config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T14:38:14.561Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":4587}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T21:59:29.140Z","size_after":65,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":66585}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-08T03:40:47.385Z","size_after":27,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":79626,"tags":["tmp"],"sha1_after":"3db308e576d90db2257e2602037d3ede404995b2","audit":{"process":{"name":"/etc/sample","id":28400,"ppid":63033},"effective_user":{"name":"NETWORK Service","id":36},"user":{"name":"suricata","id":13},"group":{"name":"root","id":33}},"md5_after":"42dbcab32f35b109c2dad95b9d1c6931","sha256_after":"b3529cc940c28d4bf27198f00f8c9358752a13922bccf4ca2af00ad61c1c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/agent.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T03:56:52.584Z","size_after":15,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":85654,"tags":["tmp"],"sha1_after":"57773c205857541803a323105fb70ea93b3345ec","audit":{"process":{"name":"/etc/sample","id":11373,"ppid":97946},"effective_user":{"name":"NETWORK Service","id":57},"user":{"name":"Administrators","id":94},"group":{"name":"root","id":6}},"md5_after":"c6a762945e094117999cd228507b7ada","sha256_after":"376db22bc8ecb5627d6f31c435b37f28edcd3b4038e1b42ce3bde95fa281"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T19:57:09.379Z","size_after":5,"uid_after":"S-1-5-18","gid_after":"0","perm_after":"rw-r--r--","inode_after":94163,"mtime_before":"2023-03-05T19:56:09.379Z","inode_before":32475,"sha1_after":"4e265b5c8914f6ad27aceecfa2a025fbc4a9dd90","changed_attributes":["size"],"md5_after":"581984cfefff18d2e84058f524c06905","sha256_after":"3f66cc5fe63c9aeb5c0803e3443cb14443303ce6fb895b42bd3948a2933e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T12:39:08.047Z","size_after":25,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":90655,"mtime_before":"2023-03-04T12:38:08.047Z","inode_before":75253,"sha1_after":"ca8bd659b94d3a5f25ede5f71b6c1c2f5dda7d27","changed_attributes":["tmp"],"md5_after":"32e5f6e8d536ddef4ff70cede75f56cb","sha256_after":"e4d06ebad16b780743ef9eb795ea8b397a9ec90c6f9c9d43908caf52c8a1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T18:39:45.065Z","size_after":60,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":50617,"mtime_before":"2023-03-05T18:38:45.065Z","inode_before":71795,"sha1_after":"23fe2cfff57523170fa87385596b6cfc28ee21f4","changed_attributes":["sha256"],"md5_after":"0ae9a3f0e0f567e4e598015854e8f923","sha256_after":"084c7b91652499a4b377a18377a2cd325b6a8d17cffe85787b2b3f1e1de9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T16:58:20.045Z","size_after":22,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":94524}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T14:33:08.021Z","size_after":29,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":56982,"mtime_before":"2023-03-02T14:32:08.021Z","inode_before":27831,"sha1_after":"c79248b344c9d57e7aa6bf81a1429ef618450a89","changed_attributes":["sha256"],"md5_after":"8359b81af49ccdf1c54c57c0a0f471ed","sha256_after":"b3ebee413110de529a2bae2c046f4e04c8c9b65eb8f4fd7cdbd31c1b4a20"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T10:19:37.160Z","size_after":23,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":13310,"mtime_before":"2023-03-02T10:18:37.160Z","inode_before":76627,"sha1_after":"c31dafc83f7968cab59ba3c97ded249bb267be18","changed_attributes":["sha1"],"md5_after":"710c987898f600ebbc82b44455227c58","sha256_after":"bda915240f5660406c63ec7f719153ced62148edbc1416b51eb3b2a0ce91"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T14:24:30.919Z","size_after":1,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":25032,"tags":["tmp"],"sha1_after":"43ae73945b7cffd05d247e9c8f90aa0e89f96620","audit":{"process":{"name":"/home/user/sample","id":75442,"ppid":61034},"effective_user":{"name":"NETWORK Service","id":82},"user":{"name":"Administrators","id":9},"group":{"name":"ec2-user","id":37}},"md5_after":"90e7d9eab3182205dcf5c83780b1e8a1","sha256_after":"1022ea4a694237965471ea97a754611f146a6cacc75703e1fefa969a1248"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T01:25:33.795Z","size_after":15,"uid_after":"S-1-5-32-544","gid_after":"190","perm_after":"rw-r--r--","inode_after":51458}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-07T13:20:19.682Z","size_after":3,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":28923,"tags":["tmp"],"sha1_after":"471f8db5b69157441d69e0cf36b3deb57e497467","audit":{"process":{"name":"/tmp/sample","id":10101,"ppid":98232},"effective_user":{"name":"root","id":87},"user":{"name":"ec2-user","id":100},"group":{"name":"suricata","id":14}},"md5_after":"6e8c6d93106bcd283b48dce1f349e75d","sha256_after":"c7c25efcef7a786b6a0b5386ae198af8a380d1afbe4fdccc6f1dce829331"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T18:36:59.660Z","size_after":38,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":95569,"tags":["tmp"],"sha1_after":"e6da693f56fc783b66db19d4ed58ada95710cd18","audit":{"process":{"name":"/home/user/sample","id":75488,"ppid":84738},"effective_user":{"name":"Administrators","id":78},"user":{"name":"suricata","id":95},"group":{"name":"suricata","id":29}},"md5_after":"9b3e737839344c0f24a80a3d8c78a24a","sha256_after":"62957f05df6eb70079757b2fd87780ff2581c1a37728dfe417b24b5931ca"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-08T00:59:40.305Z","size_after":38,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":77233}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-07T21:02:00.521Z","size_after":17,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":9418,"mtime_before":"2023-03-07T21:01:00.521Z","inode_before":54438,"sha1_after":"5d1053d76d5b2db549896b85861d384b00fbaf26","changed_attributes":["sha1"],"md5_after":"d80dfde7a619f0896649404d2292a932","sha256_after":"21856e0f13ade504620abdf6b9c5f281230ea31ff718b00c4ffe3bf9014b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T13:32:28.253Z","size_after":42,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":94825}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T13:57:45.814Z","size_after":29,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":24150,"mtime_before":"2023-03-05T13:56:45.814Z","inode_before":90852,"sha1_after":"355d6fb6e87aee04d8b48c75e90fc441511a1294","changed_attributes":["md5"],"md5_after":"14fd9bce217fa93c514752ce37342fac","sha256_after":"da74a589f480a952244a2f9ded3494cf345dd01f185776d3aa50d28d0045"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T13:59:59.952Z","size_after":24,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":65650,"mtime_before":"2023-03-04T13:58:59.952Z","inode_before":94474,"sha1_after":"f9564b068c7bbdcbc1a6d983a67617a07d4a0cee","changed_attributes":["mtime"],"md5_after":"3c205653adc6349716f78f1229efca5a","sha256_after":"dec1540f25880f50eb4bf160c6cf580dac28e712a441975cfd37bd436046"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T23:13:02.179Z","size_after":51,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":86488}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T10:45:32.022Z","size_after":2,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":4069,"mtime_before":"2023-03-05T10:44:32.022Z","inode_before":73638,"sha1_after":"405587bb0ccd8825452de68716335ccb368479e1","changed_attributes":["inode"],"md5_after":"3262ed2ea832f92c3d2ab1bd3b21d6aa","sha256_after":"8ea05c25f411523523945e4698a25139f06bed969f58529887bee8e6669f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T12:34:47.150Z","size_after":65,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":62471}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T13:37:45.926Z","size_after":43,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":16089,"tags":["tmp"],"sha1_after":"fe449f1fbb781529492c447fc8f0fbcc6e8d0ec2","audit":{"process":{"name":"/home/user/sample","id":2851,"ppid":9242},"effective_user":{"name":"ec2-user","id":48},"user":{"name":"wazuh","id":34},"group":{"name":"wazuh","id":55}},"md5_after":"e0e117cfdc2e9d1f5ea1f3508d72231c","sha256_after":"55009bc278226eb268fee5ec7ae9536156cdb45bc170fa60769d5f5b7a91"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/resolv.conf","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T23:07:40.500Z","size_after":55,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":19953,"mtime_before":"2023-03-03T23:06:40.500Z","inode_before":33169,"sha1_after":"a4e2f581262bde79f79887898364bfd7ba1ea654","changed_attributes":["mtime"],"md5_after":"580fad8b69dba32fb35b9345f34b2b99","sha256_after":"6c33b3d7e0164811f9170042dbb6b74ac27897d4b37a29e9ae99c5f416ad"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T02:21:25.361Z","size_after":27,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":49242}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T22:51:02.063Z","size_after":53,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":33187,"mtime_before":"2023-03-03T22:50:02.063Z","inode_before":63700,"sha1_after":"d140ee41030434248f73091978671dd6d17d0531","changed_attributes":["size"],"md5_after":"6814ac11fe8e6f226d7ce4333cf1e91a","sha256_after":"1f8ff77e127786bcdc9bef1835b5a7fa79eeaad2e88ffd8e4e315de4d232"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T12:50:09.543Z","size_after":7,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":22907}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-08T10:26:24.011Z","size_after":46,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":12796,"mtime_before":"2023-03-08T10:25:24.011Z","inode_before":89547,"sha1_after":"06b9bc15f94feaf8aa2248908b3f97db6464f2e0","changed_attributes":["sha256"],"md5_after":"8ce6c997f5c5aa40d56d70598157e021","sha256_after":"a857d1cc19dcb695320081268f575101da71bf8840dca68537fc1028a407"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T00:31:45.203Z","size_after":15,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":98407}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-07T10:54:54.566Z","size_after":10,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":79089,"mtime_before":"2023-03-07T10:53:54.566Z","inode_before":82258,"sha1_after":"efadfaa250dd45d497a9234d6721060e999814e1","changed_attributes":["md5"],"md5_after":"fb6a167e68544b372d0079fcdb8458a4","sha256_after":"d61747384823a7437ebfa4aaebbea15e96cfddce20ca91e5260b79535ca3"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T23:00:25.809Z","size_after":49,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":35129}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T20:13:37.967Z","size_after":15,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":56506,"tags":["tmp"],"sha1_after":"e8a95acb52cfdb4eeccf9eb21cd38713bf333461","audit":{"process":{"name":"/home/user/sample","id":30231,"ppid":95306},"effective_user":{"name":"Administrators","id":33},"user":{"name":"ec2-user","id":29},"group":{"name":"NETWORK Service","id":51}},"md5_after":"1a91dac40d70ce3cf0847f4cc38514f8","sha256_after":"4a4ec035bd01cb63ab73db05462a7731e3f7d64c8c7cd5134a1829f24c49"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-02T02:26:52.946Z","size_after":34,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":92908,"mtime_before":"2023-03-02T02:25:52.946Z","inode_before":19659,"sha1_after":"8e9bc608e8deda67539b48bfb625d88c8e3e623c","changed_attributes":["size"],"md5_after":"bc99fa6fb3e8a972753195992369c48a","sha256_after":"ca7a8302eb10fda0372faf4101aab699438d167927095ef5c78825adbf5d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T13:13:34.072Z","size_after":1,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":66964}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-08T05:28:26.260Z","size_after":16,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":47045,"tags":["tmp"],"sha1_after":"d549259780d68dcf12dd819e58a9e8834357a0d3","audit":{"process":{"name":"/etc/sample","id":19387,"ppid":88056},"effective_user":{"name":"suricata","id":42},"user":{"name":"LOCAL Service","id":77},"group":{"name":"SYSTEM","id":1}},"md5_after":"32be3b09bdc9af4931eca3461558d4e0","sha256_after":"13ca2c758f290cc3c4ca24a7f532aba3ea3c7d37921d913b80c5238ac224"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T14:50:30.819Z","size_after":34,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":98431,"mtime_before":"2023-03-06T14:49:30.819Z","inode_before":39971,"sha1_after":"0b04bce72e572a1a418469876c63a209297e12ed","changed_attributes":["md5"],"md5_after":"c78ec0d3894638eab7e5ad535baca331","sha256_after":"0e5a9529642f10a9289ceae3f516d123fa094c62be3bb095fcd2b6b706a6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T12:03:33.448Z","size_after":27,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":73347,"mtime_before":"2023-03-04T12:02:33.448Z","inode_before":8588,"sha1_after":"4820d47db1dc4695a698a3e6ee7bf7908029ddd3","changed_attributes":["md5"],"md5_after":"f61c29b6984f69d47612ac5522c25d98","sha256_after":"a31cb85e7f7838c687174b607cc192ab491c991367544aa9e6d63411d88e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-07T11:53:27.894Z","size_after":26,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":30999,"mtime_before":"2023-03-07T11:52:27.894Z","inode_before":26694,"sha1_after":"0ee6a8751d69ba66c4e726bf714a5428de517edf","changed_attributes":["mtime"],"md5_after":"4087a18d24f0b48d8838bb8dd561ac09","sha256_after":"ae7861b6bad4d1bb389a177528fb60dd14d1b1c829ecbe8d70d9973b0c14"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/filebeat/fields.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T20:30:15.828Z","size_after":1,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":68623,"mtime_before":"2023-03-06T20:29:15.828Z","inode_before":89104,"sha1_after":"039ed362db5682eb11ede53720d48164d50511a3","changed_attributes":["inode"],"md5_after":"7f162f9f201d423d54e1e747d55fdc5c","sha256_after":"10cc2b824a71286c8318a4029793623a15f2844f6cab679439123f1d9d31"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-01T12:37:33.887Z","size_after":3,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":76639,"mtime_before":"2023-03-01T12:36:33.887Z","inode_before":57360,"sha1_after":"cb9551db3247c265c1bd9cb032807a3a3fac8fe0","changed_attributes":["sha1"],"md5_after":"af55001da194ba30d40f57d3fc562220","sha256_after":"163320b0f37dced571fd4830c139c2aea444c15cfb4a2936c2c14529d743"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-01T12:29:15.575Z","size_after":61,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":86712,"tags":["tmp"],"sha1_after":"07a36dfecd5e22e633c5756b6e8b636ad95a3d37","audit":{"process":{"name":"/etc/sample","id":24702,"ppid":31641},"effective_user":{"name":"suricata","id":35},"user":{"name":"SYSTEM","id":20},"group":{"name":"ec2-user","id":55}},"md5_after":"69313ad4e16940134c0c7b4836cc23f2","sha256_after":"1e1165a26c89779abf1eff23725cb4a2f47df184aa5f7bfaf97b6d6c4236"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-01T12:09:12.427Z","size_after":22,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":69360,"tags":["tmp"],"sha1_after":"08464ff26349d19e5c577c2464d9ae94fea3f81d","audit":{"process":{"name":"/etc/sample","id":1378,"ppid":85150},"effective_user":{"name":"root","id":2},"user":{"name":"SYSTEM","id":66},"group":{"name":"LOCAL Service","id":57}},"md5_after":"0838928369e1c387439e78ed10a03a67","sha256_after":"6a7f9d8886ac8daa63b42bc26d5d04ae2238fdda09160b7fe7da1dfbc564"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T15:10:08.849Z","size_after":2,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":82649,"mtime_before":"2023-03-03T15:09:08.849Z","inode_before":66040,"sha1_after":"01e4babc31778849de42f0eef141286180993cbd","changed_attributes":["inode"],"md5_after":"3c6b2be83e1a6efac32a414bc9c8f78f","sha256_after":"b65607146cc652277012bd00d3b8383859e16551d58ca406a3817bbedf2a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T10:38:14.573Z","size_after":58,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":62744}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T09:13:20.877Z","size_after":49,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":92860}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-08T00:59:15.721Z","size_after":10,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":82796}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T09:34:07.794Z","size_after":3,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":53282}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F5","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T23:08:57.948Z","size_after":61,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":2956,"mtime_before":"2023-03-04T23:07:57.948Z","inode_before":67529,"sha1_after":"f0bc1ee74c21da05072efdbf175613d8d46a18d9","changed_attributes":["size"],"md5_after":"d4591e127a9c71bded89e4d610d7bb7c","sha256_after":"8eed5b8adb271fbdc1f99df995b9bc9236209f6c7c0995d20c8ca955fc8f"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T05:32:19.459Z","size_after":36,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":27800,"mtime_before":"2023-03-03T05:31:19.459Z","inode_before":56236,"sha1_after":"fcd9dd24c0a293375287092cb6b6b3b4d15c4bd8","changed_attributes":["sha1"],"md5_after":"2229d3c23ea59aa94a4725e6b9c48395","sha256_after":"4f5470bb9552634d8a8211e35488d8f1af800babc913335049c8069cdf04"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T01:53:44.791Z","size_after":26,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":51516,"mtime_before":"2023-03-05T01:52:44.791Z","inode_before":72399,"sha1_after":"2027ebcbc46d9727ce0b9dcc493523f9e8e67b9f","changed_attributes":["inode"],"md5_after":"baacb9daf7d491014ed30948cde6d8fd","sha256_after":"96fd4eafee14be7179a55829e9b9f7c9f39f9490376537614d9ad6d7daa1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T19:37:07.717Z","size_after":51,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":86444}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T10:10:39.413Z","size_after":54,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":9773,"tags":["tmp"],"sha1_after":"a47020ca20abce17e9e6c4538f11267a4eec81da","audit":{"process":{"name":"/etc/sample","id":25006,"ppid":89729},"effective_user":{"name":"ec2-user","id":80},"user":{"name":"SYSTEM","id":15},"group":{"name":"SYSTEM","id":73}},"md5_after":"618e317cc9f38820dc763e99b462a4cc","sha256_after":"dedaf5cc2a46b4a53a5fb4487474093534e94da58338a8d90cb0f56b73c8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T19:36:45.469Z","size_after":25,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":55565,"tags":["tmp"],"sha1_after":"e15ec752a0f4876196f94529dea58858be073086","audit":{"process":{"name":"/tmp/sample","id":74885,"ppid":46017},"effective_user":{"name":"SYSTEM","id":87},"user":{"name":"ec2-user","id":83},"group":{"name":"Administrators","id":49}},"md5_after":"f3ee13a92a5eb75448060675b093c49f","sha256_after":"9c250743ec4c2ccba3ae97b95fe314e8e0cb4b9c8ee532a2120723a358bd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T16:31:17.162Z","size_after":53,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":4028}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T17:00:42.202Z","size_after":8,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":25851}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\programdata\\microsoft\\windows defender\\scans\\mpenginedb.db-wal","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-05T14:48:44.048Z","size_after":42,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":90019,"tags":["tmp"],"sha1_after":"5526bad94c1b9d7e70f6e8cf4e80da01ab80fe6f","audit":{"process":{"name":"/etc/sample","id":5571,"ppid":41202},"effective_user":{"name":"NETWORK Service","id":85},"user":{"name":"NETWORK Service","id":22},"group":{"name":"root","id":35}},"md5_after":"daf4f9597c3aa71778f5fc70dcb08c59","sha256_after":"3429102febfe0870e2e1ce45231b0536e0d3039dbc54ff5fd6bb9e104ceb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T05:33:54.527Z","size_after":52,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":56366}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\queue\\fim\\db\\fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T21:01:23.281Z","size_after":55,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":96335,"tags":["tmp"],"sha1_after":"310860eb3bf94346ef17de764549ecf5b14f1af5","audit":{"process":{"name":"/home/user/sample","id":33778,"ppid":12029},"effective_user":{"name":"SYSTEM","id":89},"user":{"name":"Administrators","id":33},"group":{"name":"LOCAL Service","id":41}},"md5_after":"093c89c646bb6b6bf302c5eb5694494d","sha256_after":"4dba91a66b82fcd9a3241799679d14dbb102741f1bdc52a0cce00312e2e6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKslDrv","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T09:23:50.426Z","size_after":46,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":57906,"tags":["tmp"],"sha1_after":"d55fc5498bcace7244d5d36742817671a390e61c","audit":{"process":{"name":"/tmp/sample","id":65439,"ppid":33001},"effective_user":{"name":"suricata","id":88},"user":{"name":"ec2-user","id":19},"group":{"name":"SYSTEM","id":52}},"md5_after":"f476a9e610af6b87fe4b3d989a90cd6f","sha256_after":"6230cdb4f86b7fed916a5358c0ded147e4c397494f4014c4d3d3a9cb77e8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T16:25:02.882Z","size_after":26,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":57101,"tags":["tmp"],"sha1_after":"9755f23af0ca86a7ca618e46768e19a65d587824","audit":{"process":{"name":"/etc/sample","id":1628,"ppid":38950},"effective_user":{"name":"root","id":11},"user":{"name":"SYSTEM","id":0},"group":{"name":"root","id":96}},"md5_after":"587e64cdc04f8437354edb105766c4ed","sha256_after":"3cab228ba219a02a6db15a8ab738c4440536051ac9edaaedc25efeb0084a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T12:41:50.762Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":79800,"tags":["tmp"],"sha1_after":"69f71a3aff1d21b9d2637450e09053a154f7be7a","audit":{"process":{"name":"/home/user/sample","id":65826,"ppid":590},"effective_user":{"name":"SYSTEM","id":48},"user":{"name":"root","id":37},"group":{"name":"wazuh","id":24}},"md5_after":"1413be3ad9e5b2213781d162927b97bd","sha256_after":"111fc017e11b39243f7f9da1f200e94dbb32d1d885239961e63dccf667b0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-01T23:01:54.413Z","size_after":6,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":2001,"tags":["tmp"],"sha1_after":"23401f9be5bb98570c00fedd3330340841f7b9ef","audit":{"process":{"name":"/home/user/sample","id":60034,"ppid":12733},"effective_user":{"name":"SYSTEM","id":49},"user":{"name":"NETWORK Service","id":29},"group":{"name":"LOCAL Service","id":27}},"md5_after":"7ce98343532d506b2bb65af2978bdc09","sha256_after":"811d78562acd259be2cae587bb9092b03249543c752daba79ab8802f78ab"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-07T10:33:07.244Z","size_after":17,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":34267}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-03T16:58:02.495Z","size_after":36,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":55906,"tags":["tmp"],"sha1_after":"fbd652a24ecdc5d3dacfcb98236a5b1875b255ed","audit":{"process":{"name":"/home/user/sample","id":82929,"ppid":63250},"effective_user":{"name":"suricata","id":69},"user":{"name":"root","id":84},"group":{"name":"root","id":95}},"md5_after":"f3b52ec8a29854d5b33a6d73885b8a81","sha256_after":"c0cb01fc4c9f14911d3d6ee58574d181c565fe3767086a5e5780f7eb6ce4"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T05:52:59.222Z","size_after":56,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":57208}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T04:43:31.208Z","size_after":6,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":47498,"mtime_before":"2023-03-02T04:42:31.208Z","inode_before":88533,"sha1_after":"3145a77d401f9f4f652ef5296ac41a52b92033ef","changed_attributes":["mtime"],"md5_after":"67f740b4e22ab342427fc859bec43130","sha256_after":"b56cfcf92ea5683198ce0f149316418700868a11a85d8995894ae3b29596"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T10:49:44.836Z","size_after":39,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":59463,"tags":["tmp"],"sha1_after":"9f45346ced0378a0fe04d7c2f2dd0ea73c8063a7","audit":{"process":{"name":"/etc/sample","id":23505,"ppid":36714},"effective_user":{"name":"SYSTEM","id":89},"user":{"name":"SYSTEM","id":4},"group":{"name":"LOCAL Service","id":74}},"md5_after":"10b708ebced191027310646723b68b8b","sha256_after":"572ef3d6de2fdeb3c327c4eb8dc1c3ab9fbb35fb3265bafb54a07741462a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T20:12:08.804Z","size_after":61,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":4004}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-06T13:27:03.802Z","size_after":31,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":8317,"mtime_before":"2023-03-06T13:26:03.802Z","inode_before":24403,"sha1_after":"bc6c22b40be6fa825257baaf86f20ec0d34b0270","changed_attributes":["sha1"],"md5_after":"94e9c534e6eccce11e277cc3df75c3d6","sha256_after":"859376e339da48303df21ccae480a909fd7e9d8485d4db3ae2e4558c23b8"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T14:17:53.713Z","size_after":51,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":25503,"tags":["tmp"],"sha1_after":"86e7583fe6336ec259bc0c40cf250b90bed285eb","audit":{"process":{"name":"/home/user/sample","id":61848,"ppid":9453},"effective_user":{"name":"ec2-user","id":19},"user":{"name":"NETWORK Service","id":87},"group":{"name":"wazuh","id":48}},"md5_after":"fe77eb33f2aaeeb01fb0654e48dfaa8f","sha256_after":"bea0051da24a4d3e23a4feab18fb1d82032c4bd957caebc55c831abe35d1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-04T21:57:57.541Z","size_after":26,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":11035,"tags":["tmp"],"sha1_after":"903efe16310b199c45abaeb1b6cc86c2f1eb99fb","audit":{"process":{"name":"/etc/sample","id":42906,"ppid":42176},"effective_user":{"name":"SYSTEM","id":35},"user":{"name":"ec2-user","id":46},"group":{"name":"ec2-user","id":54}},"md5_after":"48651345c71529bded0a52880cb1d031","sha256_after":"a04e4fb8cc49ca57ff113d617131a68a431821643e8e9cef3a5e3f36eec0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-06T10:32:08.121Z","size_after":17,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":79965,"mtime_before":"2023-03-06T10:31:08.121Z","inode_before":29677,"sha1_after":"f29096cbe0722c188cbdd0bee4dc23a71eeca3d0","changed_attributes":["md5"],"md5_after":"4f063a651e3a9b4dc66bdc5962c75010","sha256_after":"205d3c6c817e5a88a043956e616770b2407e9e325239e66d4525b1a7417b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T23:44:24.402Z","size_after":43,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":39270}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T09:36:12.711Z","size_after":13,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":26721}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T12:11:37.866Z","size_after":34,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":35200,"mtime_before":"2023-03-06T12:10:37.866Z","inode_before":41587,"sha1_after":"022340764ae699686aaf1f9e6e3f07e15f73bcef","changed_attributes":["sha256"],"md5_after":"caff3a0f854c33aa60748aedd83a2379","sha256_after":"5fda26e95d4533b4b901c49eb1fbe73cae7b9da564e5311ba24f5ff0140e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T00:39:55.126Z","size_after":60,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":22654,"mtime_before":"2023-03-05T00:38:55.126Z","inode_before":16513,"sha1_after":"e729848ef628884075d1f15d245a29cd149ebf6a","changed_attributes":["md5"],"md5_after":"1ef232412448ec43ccfdf613cb2f8b46","sha256_after":"eb64d95b4e656a922499fe8795c485b1849e30806264a8c8087e07c2fac1"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T12:06:37.240Z","size_after":19,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":90703,"mtime_before":"2023-03-07T12:05:37.240Z","inode_before":87835,"sha1_after":"0f12872a2a3e70fab291d11b0ac167fbf84c19d2","changed_attributes":["sha256"],"md5_after":"dc2ad4225e198ecbfb87dfa70a3e4fca","sha256_after":"00ae28f568b148c261a731456fbc00e6ce3f15cd1f01e36d5d16b0b76036"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-08T05:54:16.149Z","size_after":64,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":60461,"mtime_before":"2023-03-08T05:53:16.149Z","inode_before":87998,"sha1_after":"a7bc162970d07123cc751e0f71c39ecf95fcdc61","changed_attributes":["sha1"],"md5_after":"723e6dc926ec60050a95323121671c3d","sha256_after":"ae4b22faf20c7a049cee95e9a81780bc3086c5e24c0a0a1c132c74ad4b83"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-06T10:51:42.051Z","size_after":35,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":68589,"mtime_before":"2023-03-06T10:50:42.051Z","inode_before":55673,"sha1_after":"6a0b7ce701083b10b638f5619bedb05ea52d6f7d","changed_attributes":["sha1"],"md5_after":"9c6d228773b7ff4eee79442747d48f8d","sha256_after":"43987b34c76c16a4f0d726444d5a203f4a75022529bd6a093f96657df5a0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T14:56:07.033Z","size_after":63,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":86091}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T07:00:43.204Z","size_after":16,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":49293,"tags":["tmp"],"sha1_after":"c44cbaa84285c14e8467d2eb9015db9738b7e831","audit":{"process":{"name":"/tmp/sample","id":81952,"ppid":1135},"effective_user":{"name":"LOCAL Service","id":86},"user":{"name":"Administrators","id":32},"group":{"name":"root","id":6}},"md5_after":"c64420285e8f111752c61b522734d420","sha256_after":"0691ac4d7c94e97c174d60afe0daa9494364c280e142d0381549b0352090"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T16:59:37.963Z","size_after":4,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":95372,"mtime_before":"2023-03-05T16:58:37.963Z","inode_before":25950,"sha1_after":"da314886fcd31c12dc28cfd7bfd89ec53a4b8481","changed_attributes":["tmp"],"md5_after":"75ed9aabf4c9eb029ff5bb11358fae5f","sha256_after":"54c7c9d68b18ed70992f55e70ff2641c136fdaabf5c70df0193268693aa9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-08T00:44:15.936Z","size_after":58,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":80799,"tags":["tmp"],"sha1_after":"0b53606848e2e56140d8103884d4471194bc226b","audit":{"process":{"name":"/tmp/sample","id":97442,"ppid":68947},"effective_user":{"name":"root","id":82},"user":{"name":"NETWORK Service","id":3},"group":{"name":"wazuh","id":66}},"md5_after":"1094639c0020a56dfd3560e58f189140","sha256_after":"1c44a681c3f3ecf3a7930f2cea6f1db8fd05a35fa06aa31b16c7c453c1f0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-02T23:07:40.335Z","size_after":26,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":50673}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T10:51:49.875Z","size_after":53,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":4259,"mtime_before":"2023-03-03T10:50:49.875Z","inode_before":2231,"sha1_after":"e00af3ec31cf895bd16c5cab012cba89af4c4c54","changed_attributes":["mtime"],"md5_after":"c5e3199b5c54a75c819050f02a3996c2","sha256_after":"c061c459b3f0b001f6dedc379142fb61b207c9ed78ecd8db18cda620e394"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T08:51:56.494Z","size_after":32,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":568}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T16:59:15.564Z","size_after":7,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":44975,"mtime_before":"2023-03-04T16:58:15.564Z","inode_before":50591,"sha1_after":"75d68e92902be6ab5706177272c2c6ab90f02f5a","changed_attributes":["sha256"],"md5_after":"b94b51db5c72c6f6a621ff3185956118","sha256_after":"5598fe0539e8aece253cc9ebe96e82911f205af2d35588e50169d1e22afb"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T06:51:16.403Z","size_after":8,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":26328,"tags":["tmp"],"sha1_after":"01c5b068cc56e2586baba1953e4f967ca5427a0b","audit":{"process":{"name":"/tmp/sample","id":88854,"ppid":14719},"effective_user":{"name":"wazuh","id":35},"user":{"name":"Administrators","id":79},"group":{"name":"Administrators","id":84}},"md5_after":"88443bdf624fb5028023e800c4599534","sha256_after":"b489440cb378e8789525bc0373d723abfada6f26a4793964f76c5f8b2928"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"c:\\program files (x86)\\wazuh-agent\\wodles\\syscollector","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T06:36:10.518Z","size_after":31,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":7898}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Epoch","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T18:47:01.489Z","size_after":18,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":62593}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-07T19:08:13.765Z","size_after":63,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":31897,"mtime_before":"2023-03-07T19:07:13.765Z","inode_before":77001,"sha1_after":"1460cf84f76a5490cf74d313000fc14cf42b79b7","changed_attributes":["inode"],"md5_after":"c78ae6e8308eeddda3d0d089288294e4","sha256_after":"05110efe1dae6e51b48d3f578f8662692ed20d24435a595ae5e568d990e6"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T03:33:10.138Z","size_after":7,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":73508,"tags":["tmp"],"sha1_after":"c5ccd43c0af921ce76d8631516e3aa3e6158e931","audit":{"process":{"name":"/etc/sample","id":40775,"ppid":47912},"effective_user":{"name":"Administrators","id":8},"user":{"name":"wazuh","id":36},"group":{"name":"SYSTEM","id":30}},"md5_after":"8db06ca19a5dbafe80368c34b7f9dc81","sha256_after":"6423433fe0c67ed50e938794c59427f91b87926f03296b2de446ba00515c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T16:05:58.779Z","size_after":6,"uid_after":"996","gid_after":"0","perm_after":"rw-r--r--","inode_after":81137}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T10:04:13.380Z","size_after":10,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":25466,"tags":["tmp"],"sha1_after":"f7bfdc4602922d6fe14b69357a5eb9b1ea755c99","audit":{"process":{"name":"/home/user/sample","id":45814,"ppid":39637},"effective_user":{"name":"root","id":41},"user":{"name":"root","id":13},"group":{"name":"suricata","id":38}},"md5_after":"2336f13493c2153aa88ec74fc106fdaa","sha256_after":"219009dffe9895ee81d868d53bea854b0d916615184da25e19df9e1744b9"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-02T20:35:25.174Z","size_after":38,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":20094,"mtime_before":"2023-03-02T20:34:25.174Z","inode_before":40541,"sha1_after":"ba0fa4e7854e99b1c8ceff188fb21d1b9036c708","changed_attributes":["sha1"],"md5_after":"409fe78771302ab8d7606201acc6482a","sha256_after":"9e6f052f547ae57174335ba2b3e98392633b45e5272653ac000efdac7c53"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T03:31:31.789Z","size_after":15,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":50442,"mtime_before":"2023-03-04T03:30:31.789Z","inode_before":4298,"sha1_after":"33a339d50a1d586411d1661abf3bb139710cd59a","changed_attributes":["sha1"],"md5_after":"6f112748516d45f85a97b32d3ba77336","sha256_after":"7ba4923a36f5b7fd4b91bc1f73e0b72f70262e9763455ecfe625250c1282"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/wazuh-config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T17:21:10.127Z","size_after":44,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":74202}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-06T00:25:01.528Z","size_after":45,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":87795,"tags":["tmp"],"sha1_after":"615a8bc9b3f8c5e5d39df6fc3460985ae85fde90","audit":{"process":{"name":"/home/user/sample","id":91215,"ppid":46715},"effective_user":{"name":"root","id":94},"user":{"name":"wazuh","id":94},"group":{"name":"LOCAL Service","id":49}},"md5_after":"d19d422451cf90f0938e080ae7293376","sha256_after":"82e8c63b0dc021734ba6a8c4208a96687bb1a0e6f1f405bfa5df24dd35bf"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T17:42:40.079Z","size_after":11,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":30893}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T19:13:07.432Z","size_after":10,"uid_after":"S-1-5-19","gid_after":"0","perm_after":"rw-r--r--","inode_after":51157,"tags":["tmp"],"sha1_after":"8a9de073712890d4eaf736b83ba9cf3365a3fb0d","audit":{"process":{"name":"/etc/sample","id":76053,"ppid":10016},"effective_user":{"name":"ec2-user","id":62},"user":{"name":"NETWORK Service","id":58},"group":{"name":"NETWORK Service","id":26}},"md5_after":"042f6acd35324eed6413ee53419f4966","sha256_after":"3a3019d45521e45c060d9dadf36c95d2ce3496df07700cae2bc1c02f1435"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T01:46:10.731Z","size_after":44,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":90554}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/osquery/osquery.db/CURRENT","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-01T14:46:49.698Z","size_after":35,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":87406,"mtime_before":"2023-03-01T14:45:49.698Z","inode_before":79250,"sha1_after":"70366d4c0f3be9c83e59086fd39301e957a02215","changed_attributes":["tmp"],"md5_after":"8fbcf53e552928178f412a08072480a4","sha256_after":"2699f7faea5e204419e381f1f0285965cb09917e676b97d503e5f04753e7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-02T04:14:29.702Z","size_after":59,"uid_after":"S-1-5-19","gid_after":"22","perm_after":"rw-r--r--","inode_after":1447,"tags":["tmp"],"sha1_after":"ad96d21afa9c1b22ab2203d86a4740c678edd7e3","audit":{"process":{"name":"/home/user/sample","id":2237,"ppid":82600},"effective_user":{"name":"wazuh","id":81},"user":{"name":"NETWORK Service","id":29},"group":{"name":"NETWORK Service","id":76}},"md5_after":"21baa1f3607bf5038f028a5a0eb9f8be","sha256_after":"cf7169bbc9fa28b0127254418a866b03744ac209dddaf8f5c6d8d4baf96d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T04:44:19.547Z","size_after":35,"uid_after":"S-1-5-18","gid_after":"190","perm_after":"rw-r--r--","inode_after":90206}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"c:\\program files (x86)\\wazuh-agent\\rids\\sender_counter","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-04T12:35:52.558Z","size_after":28,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":40671,"tags":["tmp"],"sha1_after":"6287569a633431255441a31695125e4c8b752d90","audit":{"process":{"name":"/home/user/sample","id":24542,"ppid":40601},"effective_user":{"name":"wazuh","id":88},"user":{"name":"NETWORK Service","id":90},"group":{"name":"NETWORK Service","id":29}},"md5_after":"60f9b71aa61487a2f4819291bdf1c133","sha256_after":"c4cbcf71aaa1fc7b6b6ee4f8f242f362ac828fc51dd247a38a1ce1339286"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-03T21:54:21.237Z","size_after":8,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":93973,"tags":["tmp"],"sha1_after":"20929dce8140d50edc7db5c9f8f705586bfe6847","audit":{"process":{"name":"/tmp/sample","id":93172,"ppid":65262},"effective_user":{"name":"LOCAL Service","id":90},"user":{"name":"ec2-user","id":81},"group":{"name":"NETWORK Service","id":5}},"md5_after":"6c8bf2b1b124725b80b3d61b1b15701c","sha256_after":"d1a99a47be0ddfb98332b0238bf4e380a05e4f73a89fd22d9d32651e6c3e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-05T23:15:18.574Z","size_after":51,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":54055}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T10:16:53.381Z","size_after":30,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":36116,"mtime_before":"2023-03-06T10:15:53.381Z","inode_before":5732,"sha1_after":"b522acaaa876a888421313abba637a4399eb3737","changed_attributes":["md5"],"md5_after":"5e6aa2bd19de69aabe142c987d24d14d","sha256_after":"6f437796a3f2bda77158554d0ef1f9ffe6050c2cb3a49ee4eacf9f620c03"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/agent.conf","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-05T13:46:17.955Z","size_after":51,"uid_after":"S-1-5-18","gid_after":"993","perm_after":"rw-r--r--","inode_after":7748,"mtime_before":"2023-03-05T13:45:17.955Z","inode_before":68813,"sha1_after":"e873eb94b035055484d378d8f11c4c6a15d67209","changed_attributes":["sha256"],"md5_after":"5ea453bce6b7a1962bd8ae62717c7ae5","sha256_after":"4a3e8deb14beab6cb56630be35fac8aad2fb949a0cbcc6a2c78b623876c7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-05T09:40:33.872Z","size_after":64,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":69284,"mtime_before":"2023-03-05T09:39:33.872Z","inode_before":79917,"sha1_after":"18eb2bd21423271e446e3c9d46038da9315280c8","changed_attributes":["tmp"],"md5_after":"e6e54497e2148a7d28c42d86982d90f9","sha256_after":"668c4edb814d695cb1e34b85ceaad84e516e0918e521c45a8605bf2c95a7"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-02T09:47:08.407Z","size_after":30,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":34343,"mtime_before":"2023-03-02T09:46:08.407Z","inode_before":13853,"sha1_after":"f6501499668b100f2bc61f0750494ec2272ebef0","changed_attributes":["sha256"],"md5_after":"4fc66c811a6d2fcaa9889e52db257ee0","sha256_after":"a7c79d1feea6bc8169bad4076c022abf16b0e41156a57feddacd22113460"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T12:47:02.600Z","size_after":60,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":75994,"mtime_before":"2023-03-04T12:46:02.600Z","inode_before":9618,"sha1_after":"540ab9f578481209dc9de9d8aa096125ae9f114f","changed_attributes":["size"],"md5_after":"939a477d75f38e83b5c3f74256e09201","sha256_after":"18aa511ac7e345734a48951550308bd310ffabbd93b1a407fd520a5286ca"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-04T22:22:36.578Z","size_after":14,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":19010,"tags":["tmp"],"sha1_after":"5dd5c14988d2b3c8668d68b20829acde328a4e9a","audit":{"process":{"name":"/home/user/sample","id":68038,"ppid":69573},"effective_user":{"name":"NETWORK Service","id":46},"user":{"name":"suricata","id":67},"group":{"name":"ec2-user","id":30}},"md5_after":"fe8ffbe92283a4a8ecee90db50e3b79f","sha256_after":"fc15077043c3f9a0659e258b3b32ee89e12dae9b24cfde6aeebc7083e92e"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/filebeat/fields.yml","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T13:58:48.608Z","size_after":45,"uid_after":"S-1-5-19","gid_after":"994","perm_after":"rw-r--r--","inode_after":96791,"tags":["tmp"],"sha1_after":"9032b08892aa6824e4fe8dfb79e7c5bc12240f18","audit":{"process":{"name":"/home/user/sample","id":31361,"ppid":32708},"effective_user":{"name":"LOCAL Service","id":77},"user":{"name":"ec2-user","id":27},"group":{"name":"root","id":47}},"md5_after":"05fbdb6c516fb1015d8c48aa3d68fec6","sha256_after":"e91399e5b86af6a95d370bdbdb531ee53b6593ecd0a9ff9a3b14a13e5fea"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"[x32] HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users\\000001F7","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T04:50:19.358Z","size_after":7,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":87919}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/log/lastlog","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T16:03:32.167Z","size_after":2,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":64873,"mtime_before":"2023-03-05T16:02:32.167Z","inode_before":25386,"sha1_after":"61a5c9fe73da7eba238297bb0c8e54c8083305c9","changed_attributes":["sha256"],"md5_after":"47c2b83bc3e4e5ac95acdd9abc9f660f","sha256_after":"71c929a7bd4ca18c3c4bf8e0d7d75f91d56e4fa6daa17cc5e1cca3f93475"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-03T18:51:41.979Z","size_after":24,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":79113}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-02T07:54:51.565Z","size_after":65,"uid_after":"996","gid_after":"190","perm_after":"rw-r--r--","inode_after":67691}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-08T07:53:14.558Z","size_after":41,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":1041,"mtime_before":"2023-03-08T07:52:14.558Z","inode_before":93123,"sha1_after":"c34fe6fd75424b08b7066fd538a1eb4f797bc3da","changed_attributes":["sha1"],"md5_after":"aadae48e853bc25ca7c61be6b5a2d70e","sha256_after":"307f2f816d9445644bc70828b98558b17fe2b056369f76613d23714e85fd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T21:11:56.822Z","size_after":62,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":33649,"mtime_before":"2023-03-04T21:10:56.822Z","inode_before":53574,"sha1_after":"c2c3dd15966beb17a109f38eb9a5205d01d52568","changed_attributes":["md5"],"md5_after":"7941dee686bd453da70058b9345258d9","sha256_after":"457f403fe8089bacf872caad3210ccad007189c6dfcaecc4e71917a20730"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/tmp/wazuh-config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-08T03:10:59.707Z","size_after":52,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":5875,"mtime_before":"2023-03-08T03:09:59.707Z","inode_before":70613,"sha1_after":"ad4987e746c4836d8d5c7f9df1b90ba4c7597739","changed_attributes":["sha256"],"md5_after":"b528a0054542a5bcc230883910ce969a","sha256_after":"7bb6b435d6fa20a76085b849811a79536ca30c8de63e5e039de05a91d238"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T04:27:05.187Z","size_after":5,"uid_after":"996","gid_after":"994","perm_after":"rw-r--r--","inode_after":77732}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/users","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T01:09:06.383Z","size_after":12,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":6968}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/users","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T06:47:36.528Z","size_after":41,"uid_after":"S-1-5-19","gid_after":"993","perm_after":"rw-r--r--","inode_after":52450,"mtime_before":"2023-03-06T06:46:36.528Z","inode_before":73758,"sha1_after":"0ce5ec290f4d952a717977a0662f92c786e490ba","changed_attributes":["tmp"],"md5_after":"044c1e083812b7857fafaff75ab00883","sha256_after":"1e1a473c9b1ebb5ae3990f66157dc4d759b350caf8649ed62cd72ba397af"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"wazuh","gname_after":"root","mtime_after":"2023-03-04T16:06:03.123Z","size_after":45,"uid_after":"0","gid_after":"993","perm_after":"rw-r--r--","inode_after":57463,"mtime_before":"2023-03-04T16:05:03.123Z","inode_before":80039,"sha1_after":"7693041fba5f5eaa96c910e36d4da72b30607d45","changed_attributes":["mtime"],"md5_after":"6bb6a80ba1197dfd4afdf1028e983ac4","sha256_after":"3a1da1aed9fef097bb1b1a1422ec3a14b22ce51413ee0365030373ca2f47"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T02:36:06.330Z","size_after":39,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":17200,"tags":["tmp"],"sha1_after":"d7d7e6316719e8fe32d456d6952365fe0e0cea89","audit":{"process":{"name":"/tmp/sample","id":99532,"ppid":22473},"effective_user":{"name":"wazuh","id":11},"user":{"name":"Administrators","id":56},"group":{"name":"LOCAL Service","id":81}},"md5_after":"83f8f440b63aeba0a8eb75b0a98ede52","sha256_after":"68f8a528a82242817a4cb635343b0d382978e1ec0f8f76eb891ad538c091"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/elasticsearch/config","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-05T05:08:38.848Z","size_after":59,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":93754,"tags":["tmp"],"sha1_after":"7b19324ec43a0c54c5fd737d577da7d6fc5307c3","audit":{"process":{"name":"/tmp/sample","id":43408,"ppid":51750},"effective_user":{"name":"suricata","id":5},"user":{"name":"SYSTEM","id":74},"group":{"name":"ec2-user","id":59}},"md5_after":"88029ce85da8bc6bff2edf7c56aac5dd","sha256_after":"dd4502c548f2309ef199169317fe50a704e324cd78ebfcdd796f0e4c626d"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/tmp/agent.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-05T05:50:55.581Z","size_after":62,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":90086}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/tmp/wazuh-config","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-02T13:05:18.634Z","size_after":55,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":37372,"tags":["tmp"],"sha1_after":"cc29ba9c8d3e3bef768534f41cdaff643948f05c","audit":{"process":{"name":"/tmp/sample","id":35752,"ppid":27578},"effective_user":{"name":"wazuh","id":100},"user":{"name":"wazuh","id":30},"group":{"name":"LOCAL Service","id":37}},"md5_after":"97152fcc5a5f2fd1fa258550c2697ef5","sha256_after":"f229b6ba61f0c45ba5f240319218782cca370ae90a0aa70079c300b5432c"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-04T19:59:22.613Z","size_after":63,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":55153}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-06T02:15:10.735Z","size_after":49,"uid_after":"S-1-5-32-544","gid_after":"0","perm_after":"rw-r--r--","inode_after":74245}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T05:24:27.333Z","size_after":62,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":27288,"tags":["tmp"],"sha1_after":"ab7d0a2f2b678ff61dd67933bee06ae2cc8d8fba","audit":{"process":{"name":"/tmp/sample","id":2477,"ppid":16518},"effective_user":{"name":"SYSTEM","id":45},"user":{"name":"NETWORK Service","id":93},"group":{"name":"suricata","id":27}},"md5_after":"8b0939594a3630551de673bbd73fd741","sha256_after":"8d2e32043a1341026a1fc122c77d19db208399da200fe74bbbaa077cf6f0"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/resolv.conf","uname_after":"SYSTEM","gname_after":"root","mtime_after":"2023-03-03T13:43:14.822Z","size_after":49,"uid_after":"996","gid_after":"993","perm_after":"rw-r--r--","inode_after":82384}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-08T05:19:53.959Z","size_after":60,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":66725,"tags":["tmp"],"sha1_after":"17245ecc01f21d057bb03bd6eb8c0f33f6ec6538","audit":{"process":{"name":"/etc/sample","id":67592,"ppid":39164},"effective_user":{"name":"Administrators","id":53},"user":{"name":"Administrators","id":45},"group":{"name":"LOCAL Service","id":79}},"md5_after":"fa98d24bc518fb36cb1b398cae37b672","sha256_after":"7ed9454e6eaea849d5c8b95658a8743530d71a128c3abad05e1eba016316"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/var/osquery/osquery.db/CURRENT","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-05T09:10:41.213Z","size_after":25,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":76681,"tags":["tmp"],"sha1_after":"5eb8c18292206615f24b9836b49502c29fb00e87","audit":{"process":{"name":"/etc/sample","id":22259,"ppid":24888},"effective_user":{"name":"SYSTEM","id":23},"user":{"name":"Administrators","id":5},"group":{"name":"ec2-user","id":62}},"md5_after":"4e38a242cdad5e0c386a38739ea6bb24","sha256_after":"9d01f326440beb492915529b9c07531de0963d867dbbe9d3178eb166e085"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/etc/resolv.conf","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T02:08:44.696Z","size_after":9,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":38802,"tags":["tmp"],"sha1_after":"8b1fdcc1124cb1e341ab74f2350cf5378cd49852","audit":{"process":{"name":"/home/user/sample","id":32018,"ppid":99873},"effective_user":{"name":"Administrators","id":20},"user":{"name":"LOCAL Service","id":95},"group":{"name":"suricata","id":24}},"md5_after":"6c16805600035f1cd47779c70e223b72","sha256_after":"d8f4cd54d6094e05e11f8c174b2ddceaee5694fe718d679ef43e1224d78a"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-07T02:16:48.413Z","size_after":62,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":8229,"mtime_before":"2023-03-07T02:15:48.413Z","inode_before":59302,"sha1_after":"67fb63347927075b408df4879c762eb8051825e9","changed_attributes":["size"],"md5_after":"4ebe813a9012e00930873080aad1e10f","sha256_after":"51f5dcb999ad00fc0bde28cf2f4a42e9b3c8ad2c2fcc9f54449555626554"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-02T04:32:16.062Z","size_after":32,"uid_after":"S-1-5-19","gid_after":"190","perm_after":"rw-r--r--","inode_after":49649,"mtime_before":"2023-03-02T04:31:16.062Z","inode_before":68925,"sha1_after":"f1ed3f122f69e0e81da6c58ac214037161e92b1b","changed_attributes":["size"],"md5_after":"3b6e079d4af1c000b53c6a6485f1071a","sha256_after":"6dffc44086459b8dea422f41bdaa664411e8f7ef740104c88f8743ec8102"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/elasticsearch/config","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-03T17:36:08.527Z","size_after":16,"uid_after":"0","gid_after":"0","perm_after":"rw-r--r--","inode_after":83879,"mtime_before":"2023-03-03T17:35:08.527Z","inode_before":1562,"sha1_after":"0875508ccfb4cc35788ed710d052d4c1ff31171e","changed_attributes":["size"],"md5_after":"525f19246c3cbd900aa17a85068716c2","sha256_after":"a9ce40ef134b42eb035987e6148a564d365391f7d216eb8cc96428b0fd0b"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db-journal","uname_after":"NETWORK Service","gname_after":"root","mtime_after":"2023-03-04T16:56:00.112Z","size_after":38,"uid_after":"0","gid_after":"994","perm_after":"rw-r--r--","inode_after":77029}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File deleted.","groups":["wazuh","syscheck"],"id":"553","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"deleted","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-05T07:50:34.009Z","size_after":5,"uid_after":"996","gid_after":"22","perm_after":"rw-r--r--","inode_after":68829,"tags":["tmp"],"sha1_after":"f618759a6d267c5a3314be58f980c2fc4797c1df","audit":{"process":{"name":"/tmp/sample","id":73382,"ppid":82197},"effective_user":{"name":"suricata","id":14},"user":{"name":"ec2-user","id":84},"group":{"name":"ec2-user","id":27}},"md5_after":"ed65cf0103d6d3873e641829ba7c44c6","sha256_after":"d95b266dbc556badac0c760cfb6f07134a4eb74865825265c5854c43ffdd"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/config","uname_after":"root","gname_after":"root","mtime_after":"2023-03-03T03:08:16.969Z","size_after":22,"uid_after":"0","gid_after":"190","perm_after":"rw-r--r--","inode_after":35173}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"root","gname_after":"root","mtime_after":"2023-03-04T00:21:48.146Z","size_after":4,"uid_after":"S-1-5-32-544","gid_after":"22","perm_after":"rw-r--r--","inode_after":93281}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/run/utmp","uname_after":"LOCAL Service","gname_after":"root","mtime_after":"2023-03-06T05:28:15.302Z","size_after":58,"uid_after":"0","gid_after":"22","perm_after":"rw-r--r--","inode_after":8493}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":14,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":32},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":30},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":22,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":29},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":40},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":24},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":23},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":20},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":46},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":44},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":22,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":11,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":30},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":45},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":25},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":47,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":17},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":38},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":30},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":48},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":40,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":39,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":35},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":13,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":41,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":42,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":20},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":17,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":25},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":31,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":22},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":21},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":40},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":34},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":22},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":46,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":20,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":25},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":35,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":16,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":21,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":41,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":11,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":27},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":28},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":30,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":21},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":37,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":30},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":32},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":18},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":25},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":20,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":23,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":45,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":18,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":34},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":16,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":36,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":11,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":37,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":24,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":45,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":28},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":37},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":36},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":23,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":14,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":29,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":45},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":49},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":48,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":25},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":45,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":40,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":49,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":15,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":43},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":38},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":17},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":22,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":49},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":40},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":37,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":32},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":45},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":26,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":48},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":17,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":37,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":42,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":27,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":28},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":27},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":30},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":33,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":38},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":43},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":11,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":32,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":29},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":21},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":44,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":24},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":37},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":41},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":12,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":43,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":37,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":23},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":50},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":42},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":39},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":49},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":28},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":38},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":14,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":19},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":29,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":21},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":30,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":40},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":25},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":45,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":18,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":19},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":24},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":35,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":21},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":16},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":44},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":18},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":13,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":19},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":40},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":45,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":18,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":33,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":49,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":29,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":23,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":26},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":24},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":47},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":37},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":46,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":27,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":39},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":17},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":27},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":18,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":50},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":20,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":28},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":39},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":24,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":26},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":36,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":22,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":38},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":37},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":16},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":50,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":19,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":21},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":28},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":22,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":44,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":49},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":25},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":20},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":48,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":44},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":42,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":36},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":40,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":25,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":41},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":18},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":33},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":43,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":18},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":48,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":41},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":18},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":49},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":23},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":37},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":24},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":30},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":18},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":26},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":42,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":47},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":14,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":37},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":30},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":50,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":46,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":45,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":25},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":24,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":26},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":45,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":24},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":16},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":49},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":28},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":16},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":39},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":49,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":34},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":39},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":17},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":47},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":38},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":21,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":30,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":16},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":24,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":50},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":46},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":17,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":32},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":21,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":40},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":14,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":42,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":35},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":42,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":36,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":34,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":44},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":21},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":18},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":17},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":17},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":22},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":21,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":24},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":22},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":40},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":48,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":36,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":30},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":48,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":16},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":26},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":46,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":27},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":19},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":29},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":21},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":32,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":48,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":20,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":26,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":20},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":29,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":24},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":43,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":43,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":22},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":24},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":28},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":24,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":21,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":22},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":40},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":29},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":38,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":32},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":20,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":48,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":32,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":44},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":18},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":49,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":44,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":46,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":47},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":35},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":39},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":33},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":50,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":46},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":37},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":12,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":42,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":44,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":17,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":25},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":50,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":44,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":30},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":30,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":36,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":39,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":32,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":32},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":28},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":28},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":14,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":17},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":34},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":39},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":25},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":43},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":46,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":12,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":25},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":17,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":36,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":15,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":43},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":49},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":33,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":21},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":13,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":15,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":45},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":21,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":30},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":50},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":31},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":21},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":50,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":40},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":45,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":30},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":39},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":14,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":24,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":27,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":17},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":27,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":40,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":48},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":43,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":30},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":27},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":42},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":46,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":33},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":35},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":45},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":26},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":21},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":23,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":46},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":35},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":20,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":34},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":39},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":47,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":17},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":4},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":26,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":42},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":29},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":37},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":23},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":28},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":24},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":8},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":28},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":35},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":36},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":39},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":35,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":49,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":40,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":6},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":19},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":47,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":24},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":30},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":50},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":20,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":36,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":27,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":21},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":42},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":45},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":29},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":40},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":22},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":22},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":20},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":32},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":40},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":49,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":18},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":24},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":47,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":27,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":17,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":39},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":44,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":30},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":18,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":28},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":16},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":32,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":47},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":14},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":27},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":35},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":11,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":49},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":18},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":28},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":35},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":36},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":17,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":43},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":13},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":42},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":21},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":33,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":31},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":33},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":46},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":true,"level":12,"description":"AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","groups":["amazon","aws","aws_macie"],"id":"80355","firedtimes":30},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"CRITICAL","actor":"resources.wazuh.sample.com","summary":{"Timestamps":"2023-02-27T09:20:24.861Z","Description":"S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts","Bucket":"resources.wazuh.sample.com,","Record Count":"1","Event Count":"1","recipientAccountId":"166157441400","ACL":{"resources":{"wazuh":{"com":{"Owner":{"DisplayName":"wazuh","ID":"3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}},"risk-score":"9","notification-type":"ALERT_CREATED","name":"S3 Bucket IAM policy grants global read rights","created-at":"2023-02-27T09:20:24.861Z","source":"macie","url":"https://mt.ap-northeast-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aap-northeast-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded","tags":{"value":"Open Permissions,Basic Alert,"},"alert-arn":"arn:aws:macie:ap-northeast-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed","region":"eu-west-2","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"macie/2023/03/02/09/firehose_macie-1-2023-03-02-09-20-24-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2023-03-02-09-20-24-861b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":47},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":39},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":11,"mail":false,"level":3,"description":"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]","groups":["amazon","aws","aws_guardduty"],"id":"80305"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"2","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2019-03-22T14:15:41Z","instanceId":"i-0cab4a083d57dc400","networkInterfaces":{"networkInterfaceId":"eni-0bb465b2d939dbda6","subnetId":"subnet-6b1d6203","vpcId":"vpc-921e61fa","privateDnsName":"ip-10-0-0-1.ec2.internal","publicIp":"54.90.48.38","publicDnsName":"ec2-54.90.48.38.compute-1.amazonaws.com","privateIpAddress":"10.0.0.1"},"instanceState":"running","imageId":"ami-09ae67bbfcd740875","instanceType":"a1.medium","imageDescription":"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12","productCodes":{"productCodeId":"zud1u4kjmxu2j2jf0n36bqa","productCodeType":"marketplace"},"iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOUFGA","arn":"arn:aws:iam::186157501624:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1e"}},"description":"EC2 instance has an unprotected port which is being probed by a known malicious host.","source":"guardduty","type":"Recon:EC2/PortProbeUnprotectedPort","title":"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b400c06fb2897dfcebffb80d","additionalInfo":{"threatListName":"ProofPoint","threatName":"Scanner"},"count":"1647","action":{"actionType":"PORT_PROBE","portProbeAction":{"blocked":"false","portProbeDetails":{"localPortDetails":{"port":"80","portName":"HTTP"},"remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}}},"serviceName":"guardduty","eventFirstSeen":"2023-02-28T09:05:51.202Z","eventLastSeen":"2023-03-03T09:05:51.202Z"},"region":"us-east-1","accountId":"186157501624","log_info":{"s3bucket":"aws-sample-bucket-2","log_file":"guardduty/2023/03/03/09/firehose_guardduty-1-2023-03-03-09-05-51-202b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"createdAt":"2023-02-28T09:05:51.202Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"aws":{"severity":"5","schemaVersion":"2.0","resource":{"accessKeyDetails":{"principalId":"AIDAIL4SI43KE7QMMBABB","userType":"IAMUser","userName":"NETWORK Service"},"resourceType":"AccessKey"},"log_info":{"s3bucket":"aws-sample-bucket-1","log_file":"guardduty/2023/03/02/07/firehose_guardduty-1-2023-03-02-07-53-04-300b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"},"description":"Unusual console login seen from principal ec2-user. Login activity using this client application, from the specific location has not been seen before from this principal.","source":"guardduty","type":"UnauthorizedAccess:IAMUser/ConsoleLogin","title":"Unusual console login was seen for principal ec2-user.","accountId":"150447125201","createdAt":"2023-02-27T07:53:04.300Z","partition":"aws","service":{"archived":"false","resourceRole":"TARGET","detectorId":"cab38390b728c06fb2897dfcebffb80d","eventFirstSeen":"2023-02-27T07:53:04.300Z","eventLastSeen":"2023-03-02T07:53:04.300Z","additionalInfo":{"recentApiCalls":{"count":"3858","api":"ConsoleLogin"}},"count":"3858","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"callerType":"Remote IP","api":"ConsoleLogin","serviceName":"signin.amazonaws.com","remoteIpDetails":{"country":{"countryName":"Italy"},"city":{"cityName":"Palermo"},"geoLocation":{"lon":"13.334100","lat":"38.129000"},"organization":{"asnOrg":"Net Connections","org":"Net Connections","isp":"Net Connections","asn":"1547"},"ipAddressV4":"75.0.101.245"}}},"serviceName":"guardduty"},"id":"a8b8d0b82c50eed686df4d24fa87b657","region":"ap-northeast-3","arn":"arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657","updatedAt":"2020-04-22T10:30:26.721Z"},"integration":"aws"},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"description":"AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.","groups":["amazon","aws","aws_guardduty"],"id":"80302","firedtimes":41},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"aws","aws":{"severity":"5","schemaVersion":"2.0","resource":{"resourceType":"Instance","instanceDetails":{"launchTime":"2020-04-22T11:17:08Z","instanceId":"i-0b0b8b34a48c8f1c4","networkInterfaces":{"networkInterfaceId":"eni-01e777fb9acd548e4","subnetId":"subnet-7930da22","vpcId":"vpc-68e3c60f","privateDnsName":"ip-10-0-2-2.ec2.internal","publicIp":"40.220.125.204","publicDnsName":"ec2-40.220.125.204.compute-1.amazonaws.com","privateIpAddress":"10.0.2.2"},"instanceState":"running","imageId":"ami-0ff8a91507f77f900","instanceType":"t2.small","imageDescription":"Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2","iamInstanceProfile":{"id":"AIPAJGAZMFPZHKIBOCBIG","arn":"arn:aws:iam::186154171780:instance-profile/opsworks-web-production"},"availabilityZone":"us-east-1a"}},"description":"EC2 instance i-0cab4a083d57dc400 is communicating with a remote host on an unusual server port 5060.","source":"guardduty","type":"Behavior:EC2/NetworkPortUnusual","title":"Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.","accountId":"186154171780","createdAt":"2023-02-26T15:47:52.687Z","partition":"aws","service":{"archived":"false","resourceRole":"ACTOR","detectorId":"cab38390b728c06fb2897dfcebffc80d","eventFirstSeen":"2023-02-26T15:47:52.687Z","eventLastSeen":"2023-03-01T15:47:52.687Z","additionalInfo":{"localPort":"8905","outBytes":"1998","inBytes":"2649","unusual":"8922"},"count":"1771","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"localIpDetails":{"ipAddressV4":"10.0.2.2"},"protocol":"TCP","blocked":"false","connectionDirection":"OUTBOUND","localPortDetails":{"port":"36220","portName":"Unknown"},"remotePortDetails":{"port":"5050","portName":"Unknown"},"remoteIpDetails":{"country":{"countryName":"Mexico"},"city":{"cityName":"Mérida"},"geoLocation":{"lon":"-89.616700","lat":"20.950000"},"organization":{"asnOrg":"Internet Mexico Company","org":"Internet Mexico Company","isp":"Internet Mexico Company","asn":"4257"},"ipAddressV4":"160.0.14.40"}}},"serviceName":"guardduty"},"id":"06b8d0602d109db1282f9143809f80b8","region":"ca-central-1","arn":"arn:aws:guardduty:ap-east-2:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8","updatedAt":"2020-04-22T07:18:12.778Z","log_info":{"s3bucket":"aws-sample-bucket-3","log_file":"guardduty/2023/03/01/15/firehose_guardduty-1-2023-03-01-15-47-52-687b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}},"location":"Wazuh-AWS","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"SUCCESS","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"SUCCESS","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"BADNAME","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"NOTAUTH","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"NOTAUTH","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"CRITICAL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"CRITICAL","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"SUCCESS","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"ALERT","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"BADTRUNC","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"BADNAME","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"A","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"INFO","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"NOERROR","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SERVFAIL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NOERROR","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west4","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"NOTAUTH","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"ALERT","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"ALERT","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"EMERGENCY","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"GCP alert event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65037","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"171.197.217.149","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"generic_task"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"EMERGENCY","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"BADTRUNC","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west2","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GCP critical event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65036","firedtimes":4,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"WARNING","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event","id":"65001","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"A","responseCode":"NXDOMAIN","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"australia-southeast1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"A","responseCode":"SERVFAIL","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ERROR","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"A","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"EMERGENCY","sourceIP":"163.172.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Unable to process query due to a problem with the name server","id":"65007","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"41.212.95.203.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"southamerica-east1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"77.38.119.17","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"europe-west1","project_id":"wazuh-test","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP warning event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65034","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"mirrors.advancedhosters.com.","queryType":"A","responseCode":"WARNING","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west1","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"DNS external query","id":"65032","firedtimes":1,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east3","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"185.5.205.124.in-addr.arpa.","queryType":"PTR","responseCode":"WARNING","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-dev","source_type":"internet","target_type":"external"},"type":"dns_query"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-central1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"ALERT","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"NXDOMAIN","sourceIP":"83.32.0.0","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east1","project_id":"wazuh-prod","source_type":"gce-vm","target_type":"external"},"type":"app_script_function"},"severity":"NOTICE","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"false","protocol":"TCP","queryName":"41.212.95.203.in-addr.arpa","queryType":"PTR","responseCode":"SUCCESS","sourceIP":"1.33.213.199","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-west3","project_id":"wazuh-prod","source_type":"internet","target_type":"external"},"type":"generic_task"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GCP notice event with source IP 83.32.0.0 from europe-west1 with response code NXDOMAIN","id":"65010","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"mirrors.advancedhosters.com.","queryType":"PTR","responseCode":"CRITICAL","sourceIP":"154.84.246.205","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"us-east2","project_id":"wazuh-dev","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"CRITICAL","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GCP emergency event from VM 531339229531.instance-1 with source IP 83.32.0.0 from europe-west1","id":"65038","firedtimes":2,"mail":true,"groups":["gcp"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"gcp","gcp":{"insertId":"uk1zpe23xcj","jsonPayload":{"authAnswer":"true","protocol":"UDP","queryName":"98.72.244.104.in-addr.arpa.","queryType":"PTR","responseCode":"INFO","sourceIP":"75.142.129.202","vmInstanceId":"4980113928800839680.000000","vmInstanceName":"531339229531.instance-1"},"logName":"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries","receiveTimestamp":"2019-11-11T02:42:05.05853152Z","resource":{"labels":{"location":"asia-east1","project_id":"wazuh-test","source_type":"gce-vm","target_type":"external"},"type":"dns_query"},"severity":"INFO","timestamp":"2019-11-11T02:42:04.34921449Z"}},"location":"","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":9,"tsc":["C1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:01:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 14:01:25 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 134.87.21.47 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["CC3.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:15:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 10:15:38 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 54.10.24.5 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC4.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:04:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"26874","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 17:04:32 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.124.37.241 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["P6.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:21:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 03:21:13 wazuh-manager sshd[15724]: Invalid user SYSTEM from 45.75.196.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC7.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 05:55:04","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 05:55:04 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["P7.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:53:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 17:53:50 wazuh-manager sshd[15722]: Invalid user root from 134.87.21.47 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC1.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 00:45:53","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 00:45:53 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P3.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:01:27","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"SYSTEM","uid":"41","euid":"2","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 06:01:27 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=41 euid=2 tty=ssh ruser= rhost=16.4.20.20 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["PI1.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:50:19","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"NETWORK Service","uid":"47","euid":"0","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 05:50:19 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=47 euid=0 tty=ssh ruser= rhost=54.10.24.5 user=NETWORK Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":35,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["CC1.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:57:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 06:57:50 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 141.98.81.37 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["PI1.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 06:46:34","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 06:46:34 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":4,"tsc":["CC9.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 21:25:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 21:25:39 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 141.98.81.37 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["P7.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:24:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 13:24:02 wazuh-manager sshd[15724]: Invalid user suricata from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P3.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 16:08:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 16:08:22 wazuh-manager sshd[5330]: Failed password for ec2-user from 187.80.4.18 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["P5.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:41:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"7558","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 23:41:11 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 40.220.102.15 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["P6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 04:23:16","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 04:23:16 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["CC7.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:57:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 00:57:34 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 134.87.21.47 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC5.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:43:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 08:43:31 wazuh-manager sshd[5330]: Failed password for SYSTEM from 54.10.24.5 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["CC7.5"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:32:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 23:32:39 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 40.220.102.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":10,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":10,"tsc":["CC7.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:39:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 05:39:16 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 141.98.81.37 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["A1.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 18:28:14","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 18:28:14 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["P6.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:45:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 19:45:05 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P2.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 15:01:53","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 15:01:53 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC6.6"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:41:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"7558","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 11:41:42 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 141.98.81.37 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["PI1.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 17:00:10","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 17:00:10 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":20,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":2,"tsc":["CC6.6"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:14:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 17:14:07 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 40.220.102.15 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["P5.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 22:30:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 22:30:45 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":41,"firedtimes":9,"tsc":["P5.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 01:30:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"7558","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 01:30:48 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 54.10.24.5 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC4.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:02:29","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"root","uid":"13","euid":"30","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 18:02:29 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=13 euid=30 tty=ssh ruser= rhost=141.98.81.37 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["P6.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:24:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"3475","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 16:24:18 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 45.124.37.241 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["P2.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:38:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 07:38:53 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC8.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:03:23","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.124.37.241","dstuser":"Administrators","uid":"38","euid":"40","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 21:03:23 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=38 euid=40 tty=ssh ruser= rhost=45.124.37.241 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P3.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:21:20","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"ec2-user","uid":"13","euid":"19","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 12:21:20 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=13 euid=19 tty=ssh ruser= rhost=54.10.24.5 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["A1.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 22:01:13","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 22:01:13 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["CC6.6"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 09:27:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"22","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 09:27:07 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 45.75.196.15 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":18,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":6,"tsc":["CC9.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:50:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 05:50:39 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 134.87.21.47 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC6.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:50:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"3527","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 17:50:04 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 134.87.21.47 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":36,"firedtimes":8,"tsc":["P6.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:49:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"3527","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 05:49:20 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["P6.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 06:56:12","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 06:56:12 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["CC4.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:48:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 01:48:45 wazuh-manager sshd[15722]: Invalid user SYSTEM from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P5.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:41:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 20:41:52 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 187.80.4.18 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["PI1.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:36:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 18:36:44 wazuh-manager sshd[15724]: Invalid user SYSTEM from 54.10.24.5 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":31,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["PI1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:34:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 11:34:37 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 141.98.81.37 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["PI1.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:03:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"3527","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 07:03:20 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 54.10.24.5 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":5,"tsc":["CC7.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:00:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 19:00:59 wazuh-manager sshd[10022]: Invalid user root from root from 187.80.4.18 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":14,"tsc":["P3.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:18:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 02:18:22 wazuh-manager sshd[10022]: Invalid user root from root from 45.75.196.15 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["P2.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:08:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"2222","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 11:08:35 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 187.80.4.18 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["CC2.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:43:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 08 06:43:41 wazuh-manager sshd[15724]: Invalid user Administrators from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["PI1.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:03:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 13:03:52 wazuh-manager sshd[15724]: Invalid user SYSTEM from 54.10.24.5 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P5.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:46:57","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"suricata","uid":"16","euid":"11","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 09:46:57 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=16 euid=11 tty=ssh ruser= rhost=134.87.21.47 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["CC3.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:47:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"7854","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 07:47:43 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.75.196.15 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":37,"firedtimes":9,"tsc":["P2.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:28:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 16:28:56 wazuh-manager sshd[5413]: Failed password for invalid user root from 141.98.81.37 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["P6.6"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:17:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 09:17:08 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["PI1.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 07:38:29","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 07:38:29 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["P8.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:18:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 01:18:53 wazuh-manager sshd[15724]: Invalid user SYSTEM from 54.10.24.5 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:44:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"55047","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 15:44:51 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 141.98.81.37 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":10,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":10,"tsc":["CC3.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:08:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 01:08:32 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 54.10.24.5 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":48,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":14,"tsc":["CC4.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:42:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 18:42:21 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 45.75.196.15 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["PI1.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:15:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"3014","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 20:15:58 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 45.75.196.15 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC2.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:32:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 10:32:56 wazuh-manager sshd[15722]: Invalid user root from 187.80.4.18 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":46,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":10,"tsc":["CC6.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:24:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 09:24:16 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 40.220.102.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 06:15:47","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 06:15:47 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["PI1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:34:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"22","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 14:34:55 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 187.80.4.18 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["CC7.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:32:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4547","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 16:32:00 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 16.4.20.20 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["A1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 08 03:28:53","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 08 03:28:53 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["A1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:19:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 07:19:33 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 16.4.20.20 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P2.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 14:25:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 14:25:26 wazuh-manager sshd[5330]: Failed password for Administrators from 45.124.37.241 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC7.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:37:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3014","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 06:37:16 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 40.220.102.15 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC7.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 12:12:37","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 12:12:37 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":36,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":15,"tsc":["P3.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:12:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 19:12:53 wazuh-manager sshd[5413]: Failed password for invalid user root from 134.87.21.47 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["P4.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:51:58","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"ec2-user","uid":"4","euid":"10","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 12:51:58 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=4 euid=10 tty=ssh ruser= rhost=187.80.4.18 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC6.8"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:44:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 02:44:59 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 54.10.24.5 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC7.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 22:46:17","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 22:46:17 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P6.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:53:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 07:53:43 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 187.80.4.18 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":42,"firedtimes":10,"tsc":["P6.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:37:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"5784","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 07:37:31 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 16.4.20.20 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["P4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:26:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"8905","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 21:26:04 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 45.75.196.15 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["CC3.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:17:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"2222","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 13:17:37 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 54.10.24.5 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":37,"firedtimes":6,"tsc":["P6.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:46:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"8905","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 08:46:40 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 45.75.196.15 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["A1.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:38:37","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.124.37.241","dstuser":"SYSTEM","uid":"9","euid":"25","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 23:38:37 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=9 euid=25 tty=ssh ruser= rhost=45.124.37.241 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["PI1.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:45:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 12:45:50 wazuh-manager sshd[15722]: Invalid user suricata from 134.87.21.47 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:08:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"55047","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 14:08:54 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 54.10.24.5 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["CC6.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:10:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 16:10:51 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 134.87.21.47 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":5,"firedtimes":7,"tsc":["CC3.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:34:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"7854","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 18:34:12 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 134.87.21.47 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC6.6"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:11:43","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"Administrators","uid":"6","euid":"39","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 16:11:43 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=6 euid=39 tty=ssh ruser= rhost=40.220.102.15 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["P3.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:31:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"55047","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 04:31:35 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 45.124.37.241 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC3.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:28:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"7558","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 01:28:34 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 40.220.102.15 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC6.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:13:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"5784","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 06:13:45 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.75.196.15 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":43,"firedtimes":10,"tsc":["P7.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:37:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"3527","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 20:37:37 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC6.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 04:31:45","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 04:31:45 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["P1.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:41:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"3475","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 08 02:41:52 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 54.10.24.5 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["P7.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 15:21:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 15:21:19 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 16.4.20.20 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC9.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:04:22","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"ec2-user","uid":"0","euid":"43","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 11:04:22 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=43 tty=ssh ruser= rhost=45.75.196.15 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":25,"firedtimes":8,"tsc":["P3.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 11:30:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 11:30:11 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 134.87.21.47 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["CC3.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:06:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 20:06:24 wazuh-manager sshd[15722]: Invalid user wazuh from 187.80.4.18 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC5.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:10:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"55047"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 04:10:36 wazuh-manager sshd[5330]: Failed password for suricata from 134.87.21.47 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["CC5.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:53:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"5784","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 22:53:50 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 134.87.21.47 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC5.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 15:13:51","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 15:13:51 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC1.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:14:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 12:14:48 wazuh-manager sshd[5330]: Failed password for root from 134.87.21.47 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC1.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:56:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 10:56:09 wazuh-manager sshd[5330]: Failed password for ec2-user from 40.220.102.15 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC5.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:37:00","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"suricata","uid":"34","euid":"0","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 10:37:00 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=34 euid=0 tty=ssh ruser= rhost=54.10.24.5 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":43,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":8,"tsc":["CC6.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:01:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 12:01:32 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 54.10.24.5 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":27,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["CC1.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:39:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 20:39:59 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 54.10.24.5 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC9.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:25:02","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"root","uid":"43","euid":"1","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 02:25:02 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=43 euid=1 tty=ssh ruser= rhost=141.98.81.37 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["CC1.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:38:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 18:38:26 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 187.80.4.18 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["CC2.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:11:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 11:11:06 wazuh-manager sshd[15724]: Invalid user ec2-user from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":18,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":10,"tsc":["CC3.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:11:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 20:11:36 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P6.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 06:47:38","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 06:47:38 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["PI1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 13:48:27","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 13:48:27 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":24,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["P6.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:00:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 15:00:06 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 134.87.21.47 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["A1.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:59:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 06:59:01 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 141.98.81.37 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["A1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 01:21:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 01:21:03 wazuh-manager sshd[5330]: Failed password for root from 16.4.20.20 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC6.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:25:03","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"LOCAL Service","uid":"37","euid":"4","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 04:25:03 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=37 euid=4 tty=ssh ruser= rhost=16.4.20.20 user=LOCAL Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:53:01","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"ec2-user","uid":"36","euid":"25","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 05:53:01 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=36 euid=25 tty=ssh ruser= rhost=134.87.21.47 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["CC6.6"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:48:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 19:48:29 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 141.98.81.37 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC1.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:24:28","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"suricata","uid":"35","euid":"18","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 19:24:28 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=35 euid=18 tty=ssh ruser= rhost=134.87.21.47 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC1.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:29:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 00:29:04 wazuh-manager sshd[15724]: Invalid user ec2-user from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":10,"tsc":["C1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 04:17:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 04:17:37 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 45.75.196.15 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":14,"tsc":["CC7.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:26:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 17:26:46 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 187.80.4.18 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":8,"firedtimes":8,"tsc":["CC7.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 20:32:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 20:32:05 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 40.220.102.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["P7.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:05:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 16:05:13 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 45.75.196.15 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":34,"firedtimes":3,"tsc":["P8.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 08:22:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 08:22:50 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 45.75.196.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["P4.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 08:22:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 08:22:01 wazuh-manager sshd[15724]: Invalid user SYSTEM from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["PI1.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:19:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 15:19:49 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 134.87.21.47 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P6.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 13:33:05","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 13:33:05 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P4.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:39:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 09:39:55 wazuh-manager sshd[15724]: Invalid user SYSTEM from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:43:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 12:43:04 wazuh-manager sshd[5330]: Failed password for SYSTEM from 134.87.21.47 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["CC1.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:50:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"4547","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 06:50:18 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 54.10.24.5 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["PI1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 23:56:48","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 23:56:48 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["CC6.8"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:09:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"8905","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 04:09:22 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 187.80.4.18 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["CC6.6"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:17:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 10:17:53 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 16.4.20.20 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["CC3.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:52:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 11:52:45 wazuh-manager sshd[15724]: Invalid user root from 134.87.21.47 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["CC7.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:02:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 12:02:08 wazuh-manager sshd[15722]: Invalid user root from 45.75.196.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["P5.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:48:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 14:48:36 wazuh-manager sshd[15724]: Invalid user Administrators from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":22,"firedtimes":3,"tsc":["C1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:59:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"8905","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 22:59:23 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 54.10.24.5 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 05:52:19","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 05:52:19 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":16,"firedtimes":15,"tsc":["C1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:08:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 08:08:08 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 45.124.37.241 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["P2.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:55:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 22:55:45 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 134.87.21.47 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":6,"tsc":["P5.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:39:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 02:39:54 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 45.124.37.241 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":46,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":2,"tsc":["CC2.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:29:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 00:29:13 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P6.4"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 19:31:11","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"root","uid":"10","euid":"29","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 19:31:11 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=10 euid=29 tty=ssh ruser= rhost=187.80.4.18 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":17,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["CC6.6"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:37:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 01:37:55 wazuh-manager sshd[5413]: Failed password for invalid user root from 16.4.20.20 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":33,"firedtimes":6,"tsc":["P5.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:54:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 08:54:51 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 45.75.196.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC8.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:16:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 07:16:10 wazuh-manager sshd[5330]: Failed password for Administrators from 40.220.102.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P3.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:36:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"3475","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 02:36:21 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 16.4.20.20 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC3.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:51:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 02:51:37 wazuh-manager sshd[15722]: Invalid user wazuh from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":4,"tsc":["PI1.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:58:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 23:58:07 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 134.87.21.47 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["C1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 04:24:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 04:24:52 wazuh-manager sshd[5330]: Failed password for Administrators from 45.124.37.241 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["C1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:57:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 13:57:54 wazuh-manager sshd[15722]: Invalid user wazuh from 45.75.196.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC6.8"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:34:25","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"SYSTEM","uid":"3","euid":"44","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 14:34:25 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=3 euid=44 tty=ssh ruser= rhost=40.220.102.15 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":13,"firedtimes":6,"tsc":["P6.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:27:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 10:27:12 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 141.98.81.37 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["CC1.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:12:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"7854","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 09:12:51 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 45.124.37.241 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["P6.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:37:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 05:37:34 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 45.75.196.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC6.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:37:45","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"suricata","uid":"28","euid":"31","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 23:37:45 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=28 euid=31 tty=ssh ruser= rhost=134.87.21.47 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":40,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":14,"tsc":["CC7.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:08:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 16:08:49 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 40.220.102.15 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC6.8"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 14:22:22","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"ec2-user","uid":"23","euid":"33","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 14:22:22 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=23 euid=33 tty=ssh ruser= rhost=134.87.21.47 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC1.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:04:20","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.124.37.241","dstuser":"Administrators","uid":"7","euid":"26","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 01:04:20 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=7 euid=26 tty=ssh ruser= rhost=45.124.37.241 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":8,"tsc":["CC2.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:54:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 05:54:25 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 141.98.81.37 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["CC1.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:20:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"3527","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 13:20:04 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 54.10.24.5 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":26,"firedtimes":12,"tsc":["P4.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:46:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"26874","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 03:46:26 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 134.87.21.47 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":34,"firedtimes":11,"tsc":["CC2.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:05:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"5784","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 06:05:56 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 45.124.37.241 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["CC6.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:59:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3475","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 08:59:04 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 40.220.102.15 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["PI1.5"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:54:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 11:54:47 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 45.75.196.15 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":19,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["CC1.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:19:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 14:19:16 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 40.220.102.15 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["P6.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:19:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"7558","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 23:19:04 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 134.87.21.47 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":5,"tsc":["A1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:47:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 19:47:59 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 141.98.81.37 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":38,"firedtimes":14,"tsc":["CC2.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:39:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 14:39:04 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 141.98.81.37 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":26,"firedtimes":14,"tsc":["CC9.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:03:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 03:03:07 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["A1.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:23:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 08:23:39 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["CC3.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:45:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 06:45:16 wazuh-manager sshd[15724]: Invalid user wazuh from 141.98.81.37 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["P6.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:48:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3475","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 15:48:35 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 40.220.102.15 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["P5.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:51:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 20:51:10 wazuh-manager sshd[5330]: Failed password for Administrators from 187.80.4.18 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC2.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:48:22","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"LOCAL Service","uid":"14","euid":"10","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 02:48:22 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=14 euid=10 tty=ssh ruser= rhost=45.75.196.15 user=LOCAL Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":10,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":9,"tsc":["P6.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:02:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 14:02:40 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 134.87.21.47 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC8.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:08:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 23:08:20 wazuh-manager sshd[15722]: Invalid user SYSTEM from 134.87.21.47 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":31,"firedtimes":10,"tsc":["CC5.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:54:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 23:54:47 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 40.220.102.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC6.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:55:54","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"NETWORK Service","uid":"4","euid":"25","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 00:55:54 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=4 euid=25 tty=ssh ruser= rhost=187.80.4.18 user=NETWORK Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["P5.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:23:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 03:23:32 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 54.10.24.5 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["P3.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:52:16","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"root","uid":"45","euid":"22","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 01:52:16 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=45 euid=22 tty=ssh ruser= rhost=187.80.4.18 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["P1.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 15:17:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 15:17:32 wazuh-manager sshd[5330]: Failed password for wazuh from 54.10.24.5 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC1.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:17:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"7854","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 12:17:56 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 45.75.196.15 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["P6.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 01:23:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 01:23:23 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 134.87.21.47 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["C1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:34:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 08:34:33 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 45.75.196.15 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC1.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:48:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"3475","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 03:48:38 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 187.80.4.18 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":19,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":2,"tsc":["CC6.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:37:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 04:37:01 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 141.98.81.37 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["CC6.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:00:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4547","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 21:00:48 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 16.4.20.20 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":2,"tsc":["CC6.8"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:03:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 23:03:49 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 54.10.24.5 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":6,"tsc":["CC2.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:15:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 05:15:33 wazuh-manager sshd[15724]: Invalid user NETWORK Service from 134.87.21.47 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":25,"firedtimes":9,"tsc":["PI1.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:28:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"7854","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 23:28:29 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":39,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":8,"tsc":["CC9.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:40:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 21:40:13 wazuh-manager sshd[5413]: Failed password for invalid user root from 134.87.21.47 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["PI1.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:12:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"4547","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 00:12:46 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.124.37.241 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P2.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:51:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 01:51:04 wazuh-manager sshd[5330]: Failed password for wazuh from 187.80.4.18 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["CC3.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:36:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 05:36:39 wazuh-manager sshd[15724]: Invalid user root from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":14,"tsc":["P4.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 19:00:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 19:00:48 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 134.87.21.47 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":4,"tsc":["CC2.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:43:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 05:43:35 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 40.220.102.15 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC4.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 13:24:14","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 13:24:14 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["P5.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:27:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 11:27:24 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC6.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:02:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 15:02:26 wazuh-manager sshd[15724]: Invalid user suricata from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":33,"firedtimes":13,"tsc":["CC2.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:17:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 20:17:17 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["P6.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 05:56:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"3475","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 05:56:50 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 16.4.20.20 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC9.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:28:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"22","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 08:28:52 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 40.220.102.15 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":42,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":8,"tsc":["C1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:12:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 17:12:31 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 45.124.37.241 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC6.6"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:41:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"22","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 01:41:58 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.75.196.15 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC3.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:08:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"4277","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 00:08:47 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.75.196.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["PI1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:59:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 11:59:17 wazuh-manager sshd[5330]: Failed password for Administrators from 40.220.102.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["PI1.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:41:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 00:41:38 wazuh-manager sshd[15722]: Invalid user Administrators from 45.124.37.241 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P5.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:04:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"26874","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 21:04:45 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 187.80.4.18 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC3.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 09:41:56","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 09:41:56 wazuh-manager unix_chkpwd[29593]: password check failed for user (LOCAL Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC7.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 09:15:00","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 09:15:00 wazuh-manager unix_chkpwd[29593]: password check failed for user (LOCAL Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["P2.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 14:04:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3475","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 14:04:13 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 40.220.102.15 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":44,"firedtimes":11,"tsc":["CC3.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:42:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 09:42:41 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 40.220.102.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":8,"tsc":["PI1.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:27:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 09:27:04 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 45.75.196.15 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["P6.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:03:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 23:03:57 wazuh-manager sshd[15724]: Invalid user NETWORK Service from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["P3.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:20:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 23:20:53 wazuh-manager sshd[15724]: Invalid user NETWORK Service from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":2,"tsc":["CC9.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:00:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 01:00:14 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 40.220.102.15 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["P4.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:24:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"7558","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 10:24:05 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 187.80.4.18 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":5,"tsc":["CC4.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:41:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 03:41:11 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 16.4.20.20 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":4,"tsc":["CC9.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:21:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 18:21:08 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 16.4.20.20 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":41,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":6,"tsc":["A1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:33:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 12:33:08 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 54.10.24.5 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P6.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:58:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 09:58:21 wazuh-manager sshd[15722]: Invalid user wazuh from 40.220.102.15 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["CC6.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:56:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"5784","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 23:56:41 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 16.4.20.20 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["P4.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 03:12:35","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 03:12:35 wazuh-manager unix_chkpwd[29593]: password check failed for user (LOCAL Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":4,"tsc":["PI1.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 21:21:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 21:21:48 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 16.4.20.20 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC6.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:02:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 06:02:57 wazuh-manager sshd[15724]: Invalid user suricata from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC3.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 11:12:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 11:12:30 wazuh-manager sshd[15724]: Invalid user suricata from 187.80.4.18 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC7.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:04:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"3475","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 18:04:09 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 54.10.24.5 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["A1.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:52:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 13:52:36 wazuh-manager sshd[5330]: Failed password for wazuh from 134.87.21.47 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC7.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:04:08","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"suricata","uid":"13","euid":"48","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 18:04:08 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=13 euid=48 tty=ssh ruser= rhost=45.75.196.15 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC2.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 16:14:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"4277","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 16:14:15 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 54.10.24.5 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P5.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 00:43:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3014","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 00:43:54 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 40.220.102.15 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["P8.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:22:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"4277","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 03:22:26 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 54.10.24.5 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["CC1.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:49:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 17:49:12 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 187.80.4.18 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":9,"tsc":["P4.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:21:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 03:21:40 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 141.98.81.37 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["P2.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:07:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"7558","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 10:07:43 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 45.124.37.241 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P6.6"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:53:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 22:53:52 wazuh-manager sshd[5330]: Failed password for Administrators from 141.98.81.37 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC1.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 16:26:04","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 16:26:04 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["PI1.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:00:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 19:00:59 wazuh-manager sshd[5330]: Failed password for SYSTEM from 141.98.81.37 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["P1.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:39:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 02:39:43 wazuh-manager sshd[15722]: Invalid user root from 54.10.24.5 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":44,"firedtimes":14,"tsc":["CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:37:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 03:37:34 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["CC4.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:48:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 07:48:39 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 141.98.81.37 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":36,"firedtimes":15,"tsc":["P8.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 06:33:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 06:33:16 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 141.98.81.37 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC1.5"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 14:10:20","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 14:10:20 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["CC7.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:54:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"55047","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 05:54:42 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 16.4.20.20 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC3.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:56:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"3527","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 05:56:06 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 45.75.196.15 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":42,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":5,"tsc":["P5.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:05:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 13:05:15 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 141.98.81.37 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["C1.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:52:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 21:52:29 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 54.10.24.5 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC3.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:59:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"4277"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 20:59:29 wazuh-manager sshd[5330]: Failed password for root from 54.10.24.5 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P6.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:42:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 15:42:53 wazuh-manager sshd[5330]: Failed password for SYSTEM from 187.80.4.18 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":27,"firedtimes":3,"tsc":["P1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:29:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 22:29:49 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":37,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":5,"tsc":["CC6.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:53:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 01:53:00 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 16.4.20.20 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P4.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 16:06:52","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 16:06:52 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":36,"firedtimes":12,"tsc":["CC1.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:03:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"7558","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 02:03:45 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 141.98.81.37 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["P3.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:37:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"2222","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 00:37:42 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 45.75.196.15 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC6.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 06:53:56","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 06:53:56 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":3,"tsc":["P3.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:22:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 09:22:40 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 141.98.81.37 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["CC2.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:29:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3475","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 15:29:19 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 40.220.102.15 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["CC7.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:13:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 00:13:44 wazuh-manager sshd[15722]: Invalid user Administrators from 54.10.24.5 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC6.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 08:05:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"55047","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 08:05:20 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 54.10.24.5 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["P4.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:21:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 22:21:04 wazuh-manager sshd[5330]: Failed password for ec2-user from 134.87.21.47 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["CC1.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:29:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 09:29:11 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 45.124.37.241 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P1.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:36:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"5784","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 18:36:09 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 141.98.81.37 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["CC1.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:40:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 12:40:53 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 40.220.102.15 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["P5.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:36:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"26874","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 21:36:20 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 45.75.196.15 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC6.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:40:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 23:40:13 wazuh-manager sshd[15724]: Invalid user root from 134.87.21.47 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["P7.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:02:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3475","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 13:02:14 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 40.220.102.15 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["CC6.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:59:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"7558","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 06:59:43 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 134.87.21.47 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["CC9.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:04:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 02:04:08 wazuh-manager sshd[15724]: Invalid user wazuh from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["CC6.5"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:37:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 20:37:26 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":6,"firedtimes":7,"tsc":["P4.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:24:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"5784","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 10:24:17 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["P3.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 18:59:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3014","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 18:59:21 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 40.220.102.15 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["P4.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:07:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 19:07:02 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 134.87.21.47 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":22,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["PI1.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:01:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 04:01:38 wazuh-manager sshd[5413]: Failed password for invalid user root from 141.98.81.37 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["CC6.6"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:13:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4547","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 02:13:21 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 16.4.20.20 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P4.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:23:18","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"NETWORK Service","uid":"12","euid":"44","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 09:23:18 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=12 euid=44 tty=ssh ruser= rhost=141.98.81.37 user=NETWORK Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC7.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:48:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 07:48:52 wazuh-manager sshd[5330]: Failed password for SYSTEM from 45.75.196.15 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":23,"firedtimes":6,"tsc":["P8.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:43:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 07:43:12 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 54.10.24.5 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC1.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:12:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 05:12:55 wazuh-manager sshd[5330]: Failed password for Administrators from 187.80.4.18 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":39,"firedtimes":11,"tsc":["CC3.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:16:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"3014","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 04:16:26 wazuh-manager sshd[5413]: Failed password for invalid user root from 187.80.4.18 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["P6.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:07:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 13:07:16 wazuh-manager sshd[15724]: Invalid user SYSTEM from 45.124.37.241 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["CC2.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:58:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 12:58:59 wazuh-manager sshd[15722]: Invalid user ec2-user from 141.98.81.37 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC4.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:10:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"22","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 19:10:47 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 54.10.24.5 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC3.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 13:26:22","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 13:26:22 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":20,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["P2.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:07:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 07:07:00 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 45.75.196.15 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["A1.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:33:55","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"wazuh","uid":"12","euid":"8","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 04:33:55 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=12 euid=8 tty=ssh ruser= rhost=141.98.81.37 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":8,"tsc":["CC5.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 09:28:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 09:28:28 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 45.75.196.15 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["P3.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 09:23:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 09:23:19 wazuh-manager sshd[15722]: Invalid user Administrators from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["CC3.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:44:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"7558","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 17:44:39 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 187.80.4.18 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC6.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:37:52","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"wazuh","uid":"33","euid":"46","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 05:37:52 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=33 euid=46 tty=ssh ruser= rhost=40.220.102.15 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P4.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:55:30","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"Administrators","uid":"49","euid":"27","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 20:55:30 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=49 euid=27 tty=ssh ruser= rhost=40.220.102.15 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["CC2.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:48:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"7854","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 08:48:18 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 40.220.102.15 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P4.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:17:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"5784","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 09:17:37 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 45.124.37.241 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P5.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:50:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 23:50:34 wazuh-manager sshd[15722]: Invalid user root from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC5.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 00:26:19","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 00:26:19 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":31,"firedtimes":7,"tsc":["P4.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:35:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"26874","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 23:35:02 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 16.4.20.20 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["P7.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:18:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"55047","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 02:18:01 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 134.87.21.47 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["PI1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:44:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"7854","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 14:44:21 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 40.220.102.15 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["P5.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:47:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 20:47:38 wazuh-manager sshd[15724]: Invalid user Administrators from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["C1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:58:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 06:58:39 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 187.80.4.18 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["CC7.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:38:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"7558","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 19:38:18 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 187.80.4.18 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["CC2.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:52:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 04:52:20 wazuh-manager sshd[15722]: Invalid user ec2-user from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":38,"firedtimes":2,"tsc":["CC6.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:11:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"26874","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 19:11:45 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P6.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:11:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 02:11:56 wazuh-manager sshd[5330]: Failed password for SYSTEM from 134.87.21.47 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":6,"tsc":["PI1.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:06:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 11:06:59 wazuh-manager sshd[10022]: Invalid user root from root from 141.98.81.37 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P1.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:42:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"26874","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 04:42:29 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 141.98.81.37 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 00:13:39","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 00:13:39 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["A1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:17:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"26874","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 19:17:40 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.124.37.241 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P4.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:24:28","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"wazuh","uid":"2","euid":"30","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 21:24:28 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=2 euid=30 tty=ssh ruser= rhost=54.10.24.5 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["P6.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:06:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3527","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 06:06:38 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 40.220.102.15 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P4.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:04:11","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"wazuh","uid":"44","euid":"35","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 22:04:11 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=44 euid=35 tty=ssh ruser= rhost=134.87.21.47 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":29,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":11,"tsc":["C1.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:07:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 23:07:52 wazuh-manager sshd[5413]: Failed password for invalid user root from 40.220.102.15 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["CC3.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:12:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"4277","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 19:12:24 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 45.75.196.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P7.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 04:42:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 04:42:35 wazuh-manager sshd[5330]: Failed password for ec2-user from 187.80.4.18 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":20,"firedtimes":2,"tsc":["P7.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:01:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"5784","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 20:01:06 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 134.87.21.47 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":32,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["P7.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:51:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 09:51:07 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":33,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["CC2.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:11:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 20:11:20 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 134.87.21.47 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["CC4.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:37:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"4277","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 18:37:30 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 45.75.196.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":14,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":4,"tsc":["PI1.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:20:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 05:20:27 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 16.4.20.20 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":27,"firedtimes":3,"tsc":["P4.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:51:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 04:51:56 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":17,"firedtimes":9,"tsc":["P4.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:09:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"3527","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 23:09:10 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC1.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:46:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 18:46:34 wazuh-manager sshd[5330]: Failed password for SYSTEM from 134.87.21.47 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC3.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:43:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 03:43:14 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":15,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["P1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:38:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 23:38:30 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 141.98.81.37 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["P1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 23:46:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 23:46:08 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 45.124.37.241 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 16:46:56","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 16:46:56 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC6.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:17:40","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"SYSTEM","uid":"16","euid":"13","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 20:17:40 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=16 euid=13 tty=ssh ruser= rhost=141.98.81.37 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["CC1.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:42:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"3014","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 03:42:05 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 45.75.196.15 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":8,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["A1.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:59:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 20:59:18 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 187.80.4.18 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":14,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":9,"tsc":["P7.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:07:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 19:07:02 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC6.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 01 10:21:28","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 10:21:28 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["CC7.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:17:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 03:17:30 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 40.220.102.15 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":29,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["CC7.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 01:23:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 01:23:07 wazuh-manager sshd[5413]: Failed password for invalid user root from 187.80.4.18 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC6.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 04:53:59","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 04:53:59 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["P3.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:15:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 04:15:34 wazuh-manager sshd[15722]: Invalid user suricata from 45.75.196.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:34:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"55047","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 20:34:45 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.124.37.241 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P4.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:37:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 09:37:26 wazuh-manager sshd[5330]: Failed password for root from 141.98.81.37 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P8.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:14:41","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"Administrators","uid":"32","euid":"42","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 18:14:41 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=32 euid=42 tty=ssh ruser= rhost=16.4.20.20 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["P4.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 21:46:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 21:46:11 wazuh-manager sshd[15722]: Invalid user Administrators from 45.124.37.241 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":21,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":6,"tsc":["CC3.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:49:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 02:49:40 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["P8.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 09:42:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 09:42:02 wazuh-manager sshd[15724]: Invalid user root from 54.10.24.5 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 11:16:01","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 11:16:01 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P5.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 08:10:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4277","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 08:10:55 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 16.4.20.20 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":44,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":14,"tsc":["CC1.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:26:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 09:26:46 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 45.124.37.241 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["P4.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:10:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"55047","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 06:10:26 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 45.124.37.241 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P3.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:30:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 18:30:25 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 45.124.37.241 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["P3.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 07:07:04","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 07:07:04 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":8,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":15,"tsc":["A1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:06:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 19:06:11 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 45.124.37.241 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC9.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:22:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"4277","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 15:22:55 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.75.196.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P8.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:41:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"3014","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 04:41:09 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 16.4.20.20 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P6.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:26:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 01:26:52 wazuh-manager sshd[15722]: Invalid user ec2-user from 187.80.4.18 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["P6.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:04:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 19:04:42 wazuh-manager sshd[15724]: Invalid user Administrators from 54.10.24.5 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["CC6.6"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:34:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"4277","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 12:34:23 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 134.87.21.47 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P6.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:24:00","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"wazuh","uid":"26","euid":"46","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 07:24:00 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=26 euid=46 tty=ssh ruser= rhost=187.80.4.18 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":42,"firedtimes":14,"tsc":["P6.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 23:53:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"7854","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 23:53:46 wazuh-manager sshd[5413]: Failed password for invalid user root from 40.220.102.15 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["CC4.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 17:33:49","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 17:33:49 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P7.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:00:10","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"SYSTEM","uid":"16","euid":"40","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 12:00:10 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=16 euid=40 tty=ssh ruser= rhost=54.10.24.5 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["C1.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 21:38:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"4277","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 21:38:20 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 54.10.24.5 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["P6.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:51:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"26874","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 10:51:16 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 141.98.81.37 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC5.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:04:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"3475","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 10:04:27 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 45.124.37.241 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["CC1.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:32:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4277","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 13:32:56 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 16.4.20.20 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":22,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":9,"tsc":["P3.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 14:17:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 14:17:13 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 141.98.81.37 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC5.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 08:44:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 08:44:26 wazuh-manager sshd[15722]: Invalid user root from 45.124.37.241 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":23,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":14,"tsc":["PI1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:19:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 00:19:07 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:23:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 19:23:37 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 16.4.20.20 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["CC9.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:15:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"4277","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 02:15:36 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.75.196.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["PI1.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:56:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 09:56:24 wazuh-manager sshd[15722]: Invalid user wazuh from 187.80.4.18 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["CC4.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:58:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"4277","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 10:58:59 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 45.124.37.241 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P6.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:38:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 05:38:43 wazuh-manager sshd[15722]: Invalid user root from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P4.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 18:01:16","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 18:01:16 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 08:24:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"2222","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 08:24:51 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 134.87.21.47 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["P4.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 19:16:38","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 19:16:38 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["P5.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:51:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 21:51:22 wazuh-manager sshd[15724]: Invalid user ec2-user from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC6.8"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:18:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"2222","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 15:18:14 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 134.87.21.47 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["CC3.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 11:47:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"22","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 11:47:26 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 187.80.4.18 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC6.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:05:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 11:05:31 wazuh-manager sshd[15724]: Invalid user ec2-user from 141.98.81.37 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":27,"firedtimes":4,"tsc":["CC6.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:39:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 19:39:01 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 141.98.81.37 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["P1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:12:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"7558","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 01:12:47 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.75.196.15 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["CC2.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:07:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 20:07:28 wazuh-manager sshd[15724]: Invalid user suricata from 141.98.81.37 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC6.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:35:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 12:35:22 wazuh-manager sshd[15722]: Invalid user suricata from 187.80.4.18 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P1.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:52:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"22","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 13:52:43 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 16.4.20.20 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P3.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:32:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 13:32:13 wazuh-manager sshd[15722]: Invalid user Administrators from 40.220.102.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":44,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":15,"tsc":["CC9.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:32:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 20:32:09 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 16.4.20.20 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC3.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:42:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 01:42:29 wazuh-manager sshd[5330]: Failed password for SYSTEM from 54.10.24.5 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":47,"firedtimes":5,"tsc":["CC5.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:05:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 13:05:01 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 54.10.24.5 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P4.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 21:40:16","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 21:40:16 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":22,"firedtimes":6,"tsc":["CC7.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:09:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"8905","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 00:09:02 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 141.98.81.37 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:24:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 02:24:42 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 40.220.102.15 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["P7.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 01 09:26:36","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 09:26:36 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":4,"tsc":["CC6.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:20:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 23:20:45 wazuh-manager sshd[10022]: Invalid user root from root from 54.10.24.5 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["P2.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:07:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"55047"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 03:07:07 wazuh-manager sshd[5330]: Failed password for root from 187.80.4.18 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["P2.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:15:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"4277","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 15:15:12 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 141.98.81.37 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P3.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:51:06","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"suricata","uid":"49","euid":"7","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 07:51:06 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=49 euid=7 tty=ssh ruser= rhost=54.10.24.5 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC2.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:02:35","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"root","uid":"41","euid":"3","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 10:02:35 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=41 euid=3 tty=ssh ruser= rhost=40.220.102.15 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P6.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:59:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"7854","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 12:59:23 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 187.80.4.18 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:43:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 02:43:22 wazuh-manager sshd[5330]: Failed password for Administrators from 134.87.21.47 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":47,"firedtimes":4,"tsc":["CC6.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:02:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"7558","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 12:02:23 wazuh-manager sshd[5413]: Failed password for invalid user root from 134.87.21.47 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":10,"tsc":["A1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:23:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 10:23:58 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 40.220.102.15 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC3.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 08:34:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"4547","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 08:34:13 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 54.10.24.5 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["P6.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:02:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 21:02:09 wazuh-manager sshd[15724]: Invalid user SYSTEM from 141.98.81.37 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":6,"tsc":["P8.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:46:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 12:46:57 wazuh-manager sshd[15724]: Invalid user wazuh from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["P2.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:35:51","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"Administrators","uid":"5","euid":"43","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 23:35:51 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=5 euid=43 tty=ssh ruser= rhost=40.220.102.15 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":9,"firedtimes":10,"tsc":["P6.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:47:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 14:47:50 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 54.10.24.5 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":15,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["P4.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:18:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 20:18:00 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 40.220.102.15 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC5.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:55:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 18:55:59 wazuh-manager sshd[5330]: Failed password for Administrators from 187.80.4.18 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P6.6"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:52:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"3014","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 12:52:49 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 54.10.24.5 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["CC3.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:01:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 14:01:43 wazuh-manager sshd[10022]: Invalid user root from root from 40.220.102.15 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":3,"tsc":["PI1.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 06:45:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 06:45:32 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 45.75.196.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["PI1.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:39:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 05:39:22 wazuh-manager sshd[15722]: Invalid user suricata from 187.80.4.18 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":28,"firedtimes":15,"tsc":["CC1.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:50:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"7854","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 12:50:54 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 134.87.21.47 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":10,"tsc":["CC8.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:58:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 00:58:34 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 141.98.81.37 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["PI1.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:52:22","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"suricata","uid":"14","euid":"10","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 16:52:22 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=14 euid=10 tty=ssh ruser= rhost=134.87.21.47 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:59:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 08:59:11 wazuh-manager sshd[15722]: Invalid user suricata from 187.80.4.18 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC1.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:00:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 05:00:13 wazuh-manager sshd[15722]: Invalid user Administrators from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":14,"tsc":["P5.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 18:55:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 18:55:07 wazuh-manager sshd[10022]: Invalid user root from root from 45.75.196.15 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["CC1.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:24:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 17:24:01 wazuh-manager sshd[15724]: Invalid user suricata from 54.10.24.5 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":21,"firedtimes":5,"tsc":["CC1.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:57:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"8905","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 10:57:33 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 40.220.102.15 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC5.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 12:00:30","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 12:00:30 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P1.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:34:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"4277","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 17:34:48 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 54.10.24.5 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":5,"tsc":["CC8.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:33:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 00:33:18 wazuh-manager sshd[10022]: Invalid user root from root from 45.75.196.15 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["P5.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:26:01","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"LOCAL Service","uid":"2","euid":"47","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 17:26:01 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=2 euid=47 tty=ssh ruser= rhost=187.80.4.18 user=LOCAL Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC1.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:43:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"55047","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 03:43:39 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 16.4.20.20 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":2,"tsc":["PI1.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:07:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 15:07:51 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 40.220.102.15 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["P6.5"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:17:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 11:17:15 wazuh-manager sshd[15722]: Invalid user wazuh from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["PI1.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:16:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"4547","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 03:16:04 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 40.220.102.15 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["P7.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:07:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 08:07:42 wazuh-manager sshd[15722]: Invalid user root from 187.80.4.18 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC6.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 23:30:24","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 23:30:24 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["P3.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:35:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 07:35:37 wazuh-manager sshd[15724]: Invalid user ec2-user from 16.4.20.20 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC3.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:39:15","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"ec2-user","uid":"22","euid":"49","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 06:39:15 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=22 euid=49 tty=ssh ruser= rhost=16.4.20.20 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["A1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 13:31:47","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 13:31:47 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":50,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":9,"tsc":["CC2.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:23:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 22:23:03 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 40.220.102.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["PI1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 10:54:56","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 10:54:56 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC4.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:17:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"3527","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 17:17:07 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 187.80.4.18 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC4.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:21:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 09:21:12 wazuh-manager sshd[5330]: Failed password for SYSTEM from 16.4.20.20 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["P3.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:06:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 11:06:31 wazuh-manager sshd[15722]: Invalid user root from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["P6.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:17:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"2222","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 03:17:28 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 40.220.102.15 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["P7.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:43:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"3475","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 20:43:19 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 16.4.20.20 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":39,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["CC3.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:03:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 10:03:13 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["CC2.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:41:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 06:41:08 wazuh-manager sshd[15724]: Invalid user SYSTEM from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC6.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:04:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 03:04:04 wazuh-manager sshd[15722]: Invalid user Administrators from 54.10.24.5 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":14,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":14,"tsc":["P6.6"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:39:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 14:39:02 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 45.75.196.15 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["CC1.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:45:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"3527","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 01:45:40 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 134.87.21.47 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC1.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:15:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 19:15:28 wazuh-manager sshd[5330]: Failed password for wazuh from 54.10.24.5 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":13,"tsc":["PI1.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:38:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 08:38:47 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 16.4.20.20 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":2,"tsc":["P5.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:16:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 05:16:23 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 16.4.20.20 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":39,"firedtimes":4,"tsc":["P3.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:47:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 19:47:11 wazuh-manager sshd[5413]: Failed password for invalid user root from 16.4.20.20 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":8,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":6,"tsc":["P6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:23:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 08:23:38 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["C1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:49:05","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"wazuh","uid":"3","euid":"16","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 11:49:05 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=3 euid=16 tty=ssh ruser= rhost=45.75.196.15 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["CC6.6"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:09:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 18:09:54 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 134.87.21.47 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["P7.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 18:25:05","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 18:25:05 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":13,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":8,"tsc":["P5.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 05:34:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 05:34:38 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 16.4.20.20 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":35,"firedtimes":10,"tsc":["P3.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:34:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 18:34:42 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.124.37.241 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC5.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 20:15:50","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 20:15:50 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["CC5.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:44:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 23:44:41 wazuh-manager sshd[15722]: Invalid user suricata from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["PI1.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:25:42","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"root","uid":"34","euid":"17","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 06:25:42 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=34 euid=17 tty=ssh ruser= rhost=187.80.4.18 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":23,"firedtimes":9,"tsc":["P6.6"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:17:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 04:17:17 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 40.220.102.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["CC3.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:02:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 07:02:56 wazuh-manager sshd[15722]: Invalid user Administrators from 141.98.81.37 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["CC1.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:20:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 14:20:18 wazuh-manager sshd[15722]: Invalid user SYSTEM from 45.75.196.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 21:50:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"2222"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 21:50:56 wazuh-manager sshd[5330]: Failed password for ec2-user from 45.124.37.241 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC3.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:11:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 18:11:50 wazuh-manager sshd[5330]: Failed password for SYSTEM from 16.4.20.20 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC3.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:47:28","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"LOCAL Service","uid":"23","euid":"25","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 02:47:28 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=23 euid=25 tty=ssh ruser= rhost=134.87.21.47 user=LOCAL Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC5.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:32:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"3527","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 03:32:02 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 187.80.4.18 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["CC1.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:54:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"3014","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 07:54:14 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 187.80.4.18 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["C1.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:46:01","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"suricata","uid":"46","euid":"22","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 04:46:01 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=46 euid=22 tty=ssh ruser= rhost=187.80.4.18 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":14,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":5,"tsc":["CC5.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:04:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 10:04:44 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC2.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:10:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 09:10:32 wazuh-manager sshd[15724]: Invalid user root from 134.87.21.47 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["A1.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:14:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 05:14:35 wazuh-manager sshd[15722]: Invalid user ec2-user from 54.10.24.5 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P6.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:41:29","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"ec2-user","uid":"0","euid":"25","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 06:41:29 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=25 tty=ssh ruser= rhost=54.10.24.5 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":6,"tsc":["P6.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:51:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 06:51:10 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 54.10.24.5 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":41,"firedtimes":5,"tsc":["P6.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:50:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"3014","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 06:50:53 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 40.220.102.15 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":50,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":4,"tsc":["A1.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:05:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 23:05:28 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 45.75.196.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:36:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 17:36:20 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":9,"firedtimes":11,"tsc":["CC8.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:40:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"7854","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 02:40:27 wazuh-manager sshd[5413]: Failed password for invalid user root from 16.4.20.20 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["A1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:38:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 03:38:45 wazuh-manager sshd[15724]: Invalid user root from 40.220.102.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC6.8"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:24:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 16:24:31 wazuh-manager sshd[5330]: Failed password for ec2-user from 45.75.196.15 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":35,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":4,"tsc":["CC7.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:38:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 13:38:49 wazuh-manager sshd[5413]: Failed password for invalid user root from 54.10.24.5 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["P5.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:14:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 13:14:03 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 187.80.4.18 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["PI1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 00:22:52","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 00:22:52 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC5.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:43:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 13:43:06 wazuh-manager sshd[5330]: Failed password for SYSTEM from 40.220.102.15 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":27,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":10,"tsc":["CC3.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:03:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 03:03:11 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 45.75.196.15 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["P6.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:53:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 02:53:16 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 40.220.102.15 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC6.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 23:53:47","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 23:53:47 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["CC3.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:45:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"4547","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 04:45:57 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 40.220.102.15 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":37,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["CC3.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 22:48:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 22:48:40 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 40.220.102.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P6.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:45:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 14:45:26 wazuh-manager sshd[15722]: Invalid user Administrators from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["CC2.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:54:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"26874","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 11:54:38 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 54.10.24.5 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":32,"firedtimes":9,"tsc":["CC3.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:39:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"7558","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 19:39:40 wazuh-manager sshd[5413]: Failed password for invalid user root from 141.98.81.37 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":10,"firedtimes":6,"tsc":["CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:50:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 05:50:20 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["CC3.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:46:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"3014","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 07:46:03 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 141.98.81.37 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P1.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 05:20:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 05:20:29 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 134.87.21.47 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["P8.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:44:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 08:44:28 wazuh-manager sshd[5330]: Failed password for wazuh from 134.87.21.47 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["P3.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:20:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"4277","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 06:20:17 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 134.87.21.47 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P7.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:36:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 18:36:41 wazuh-manager sshd[15724]: Invalid user ec2-user from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["A1.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 11:35:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 11:35:17 wazuh-manager sshd[15724]: Invalid user ec2-user from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":8,"firedtimes":12,"tsc":["P5.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:24:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 07:24:48 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["P8.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:16:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 20:16:34 wazuh-manager sshd[15724]: Invalid user NETWORK Service from 45.124.37.241 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC4.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 01 20:13:55","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 20:13:55 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":44,"firedtimes":9,"tsc":["P6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:55:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"3527","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 17:55:43 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 187.80.4.18 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["CC6.8"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:14:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"26874","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 12:14:46 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.75.196.15 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC3.4"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:01:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 12:01:35 wazuh-manager sshd[5330]: Failed password for suricata from 187.80.4.18 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC7.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 21:04:00","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 21:04:00 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["CC2.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:57:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 01:57:57 wazuh-manager sshd[15724]: Invalid user wazuh from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["CC9.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:32:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 07:32:18 wazuh-manager sshd[10022]: Invalid user root from root from 45.75.196.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":18,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":6,"tsc":["P6.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:40:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 22:40:25 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 16.4.20.20 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC6.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:31:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 09:31:44 wazuh-manager sshd[5330]: Failed password for wazuh from 40.220.102.15 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["A1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:47:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 22:47:50 wazuh-manager sshd[15724]: Invalid user Administrators from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["CC1.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 05:25:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 05:25:56 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 134.87.21.47 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["CC3.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:29:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 00:29:56 wazuh-manager sshd[5330]: Failed password for wazuh from 45.124.37.241 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["P6.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:58:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 02:58:31 wazuh-manager sshd[10022]: Invalid user root from root from 141.98.81.37 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["CC7.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:58:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 19:58:35 wazuh-manager sshd[15722]: Invalid user suricata from 134.87.21.47 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["CC5.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:16:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"4547","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 12:16:57 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 45.124.37.241 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P4.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:54:27","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"suricata","uid":"21","euid":"26","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 04:54:27 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=21 euid=26 tty=ssh ruser= rhost=141.98.81.37 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["P7.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:22:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 07:22:09 wazuh-manager sshd[5330]: Failed password for wazuh from 16.4.20.20 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":50,"firedtimes":12,"tsc":["CC7.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:37:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"7854","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 08:37:17 wazuh-manager sshd[5413]: Failed password for invalid user root from 141.98.81.37 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 04:19:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 04:19:20 wazuh-manager sshd[5330]: Failed password for wazuh from 16.4.20.20 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["P5.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:00:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 02:00:25 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 16.4.20.20 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["P3.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:47:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"8905","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 07:47:49 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 187.80.4.18 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":46,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":3,"tsc":["CC3.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 16:20:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 16:20:27 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P2.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:26:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"7854","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 18:26:30 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 141.98.81.37 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":5,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":14,"tsc":["CC7.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:24:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 10:24:28 wazuh-manager sshd[5413]: Failed password for invalid user root from 134.87.21.47 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["CC4.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:12:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 05:12:42 wazuh-manager sshd[15724]: Invalid user ec2-user from 54.10.24.5 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":37,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":2,"tsc":["CC5.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:05:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 15:05:59 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 16.4.20.20 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC3.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:45:58","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"SYSTEM","uid":"1","euid":"41","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 20:45:58 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=1 euid=41 tty=ssh ruser= rhost=45.75.196.15 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":9,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["CC6.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:52:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 21:52:55 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 16.4.20.20 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC2.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 00:26:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"2222"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 00:26:37 wazuh-manager sshd[5330]: Failed password for suricata from 54.10.24.5 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["CC6.8"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:30:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 12:30:41 wazuh-manager sshd[15722]: Invalid user SYSTEM from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC2.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:16:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 10:16:16 wazuh-manager sshd[15722]: Invalid user Administrators from 45.75.196.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC5.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 08:30:28","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.124.37.241","dstuser":"NETWORK Service","uid":"42","euid":"15","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 08:30:28 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=42 euid=15 tty=ssh ruser= rhost=45.124.37.241 user=NETWORK Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P4.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:20:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 17:20:34 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["CC9.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:29:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 07:29:59 wazuh-manager sshd[15722]: Invalid user suricata from 134.87.21.47 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["CC6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 22:43:21","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 22:43:21 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P2.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 05:21:28","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 05:21:28 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":13,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":15,"tsc":["CC7.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:19:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 21:19:59 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["A1.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:59:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 17:59:17 wazuh-manager sshd[15722]: Invalid user wazuh from 45.124.37.241 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC5.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 22:11:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 22:11:13 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 134.87.21.47 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC7.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:18:20","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.124.37.241","dstuser":"Administrators","uid":"31","euid":"24","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 11:18:20 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=31 euid=24 tty=ssh ruser= rhost=45.124.37.241 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["CC9.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:30:21","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"NETWORK Service","uid":"31","euid":"4","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 09:30:21 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=31 euid=4 tty=ssh ruser= rhost=16.4.20.20 user=NETWORK Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC9.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:57:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 23:57:33 wazuh-manager sshd[5330]: Failed password for Administrators from 45.124.37.241 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 07:03:27","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 07:03:27 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC6.6"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 21:05:21","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 21:05:21 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":9,"firedtimes":15,"tsc":["P6.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:49:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 13:49:19 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 141.98.81.37 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC1.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:55:05","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"wazuh","uid":"40","euid":"20","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 17:55:05 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=40 euid=20 tty=ssh ruser= rhost=141.98.81.37 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC5.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 05:00:25","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 05:00:25 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":35,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["CC3.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:06:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 01:06:19 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 54.10.24.5 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC5.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 16:41:46","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 16:41:46 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":31,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":12,"tsc":["CC2.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:16:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 23:16:11 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 54.10.24.5 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":44,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":8,"tsc":["CC1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:21:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 20:21:56 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 187.80.4.18 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["P1.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:59:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"3014","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 17:59:58 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 134.87.21.47 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["CC9.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:38:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 00:38:06 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 187.80.4.18 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["PI1.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:19:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 03:19:14 wazuh-manager sshd[15722]: Invalid user root from 141.98.81.37 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["P6.5"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:35:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"22","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 14:35:09 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 54.10.24.5 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":32,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":4,"tsc":["CC8.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:38:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 02:38:54 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 40.220.102.15 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":13,"firedtimes":14,"tsc":["P4.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:29:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 06:29:39 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["P6.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 08:48:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"7854","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 08 08:48:54 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 134.87.21.47 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["P3.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:29:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 11:29:59 wazuh-manager sshd[15722]: Invalid user ec2-user from 134.87.21.47 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P3.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:54:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 03:54:52 wazuh-manager sshd[15724]: Invalid user suricata from 54.10.24.5 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC5.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 03:18:45","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 03:18:45 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":9,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":12,"tsc":["A1.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:31:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 03:31:50 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["CC1.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:51:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"4547","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 04:51:10 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 141.98.81.37 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC8.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 18:58:57","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 18:58:57 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P6.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 20:51:55","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 20:51:55 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":6,"tsc":["P6.6"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:40:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 07:40:42 wazuh-manager sshd[15724]: Invalid user SYSTEM from 16.4.20.20 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC3.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:54:48","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"suricata","uid":"14","euid":"10","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 12:54:48 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=14 euid=10 tty=ssh ruser= rhost=141.98.81.37 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":14,"tsc":["CC2.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:30:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 05:30:08 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 134.87.21.47 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["P8.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:02:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"3014","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 02:02:15 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 134.87.21.47 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":38,"firedtimes":9,"tsc":["P6.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:15:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 16:15:48 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 40.220.102.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["CC5.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 14:14:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4277","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 14:14:40 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 16.4.20.20 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["P6.6"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:28:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"2222","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 03:28:00 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 16.4.20.20 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["P1.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:34:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 05:34:59 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["A1.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:33:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 08 07:33:14 wazuh-manager sshd[15724]: Invalid user NETWORK Service from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["P2.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:01:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 06:01:33 wazuh-manager sshd[15724]: Invalid user wazuh from 40.220.102.15 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":6,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":9,"tsc":["P5.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:07:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 03:07:47 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["A1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:18:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"7558"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 13:18:51 wazuh-manager sshd[5330]: Failed password for root from 16.4.20.20 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["PI1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:32:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 23:32:10 wazuh-manager sshd[15724]: Invalid user NETWORK Service from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["CC3.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:42:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 19:42:05 wazuh-manager sshd[15722]: Invalid user ec2-user from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["P6.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:36:41","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"SYSTEM","uid":"7","euid":"7","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 10:36:41 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=7 euid=7 tty=ssh ruser= rhost=45.75.196.15 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":2,"tsc":["CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:06:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 03:06:24 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 54.10.24.5 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["CC5.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 23:02:16","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 23:02:16 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:21:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"7558"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 17:21:53 wazuh-manager sshd[5330]: Failed password for root from 187.80.4.18 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["P4.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:34:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 12:34:04 wazuh-manager sshd[10022]: Invalid user root from root from 141.98.81.37 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":32,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["P5.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:53:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 18:53:28 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 141.98.81.37 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["P6.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:50:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"3527","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 06:50:47 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 45.124.37.241 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["CC6.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:29:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 15:29:02 wazuh-manager sshd[15722]: Invalid user wazuh from 134.87.21.47 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":16,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":5,"tsc":["C1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:03:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 13:03:04 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 54.10.24.5 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":33,"firedtimes":4,"tsc":["CC7.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:54:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 11:54:49 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 187.80.4.18 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["PI1.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:15:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 20:15:45 wazuh-manager sshd[15724]: Invalid user root from 134.87.21.47 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["P6.4"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 21:37:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 21:37:44 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC2.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 00:53:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 00:53:03 wazuh-manager sshd[5330]: Failed password for SYSTEM from 141.98.81.37 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":25,"firedtimes":9,"tsc":["CC6.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 01:09:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 01:09:45 wazuh-manager sshd[5413]: Failed password for invalid user root from 187.80.4.18 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["P6.6"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 01:18:08","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 01:18:08 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["P2.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:08:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 13:08:06 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["P1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 15:30:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"8905","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 15:30:22 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 45.75.196.15 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P6.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:16:25","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"Administrators","uid":"20","euid":"43","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 20:16:25 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=20 euid=43 tty=ssh ruser= rhost=54.10.24.5 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["CC6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 22:20:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 22:20:39 wazuh-manager sshd[15724]: Invalid user SYSTEM from 45.75.196.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":3,"tsc":["P2.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:15:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 21:15:05 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 187.80.4.18 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["PI1.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:30:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 18:30:48 wazuh-manager sshd[15724]: Invalid user root from 141.98.81.37 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC1.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:12:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"7558","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 12:12:21 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 187.80.4.18 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC3.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:42:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 09:42:42 wazuh-manager sshd[15722]: Invalid user SYSTEM from 45.75.196.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["CC6.8"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:59:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"55047","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 04:59:54 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.124.37.241 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["PI1.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:26:43","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"root","uid":"14","euid":"21","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 20:26:43 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=14 euid=21 tty=ssh ruser= rhost=40.220.102.15 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["A1.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:06:58","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"root","uid":"14","euid":"49","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 13:06:58 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=14 euid=49 tty=ssh ruser= rhost=16.4.20.20 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["P6.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:48:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 01:48:26 wazuh-manager sshd[5330]: Failed password for root from 16.4.20.20 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":8,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["P2.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:38:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 01:38:09 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 45.75.196.15 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["CC2.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:47:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"8905","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 19:47:11 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 187.80.4.18 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":26,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["P7.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:51:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 18:51:24 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["P6.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:15:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 05:15:13 wazuh-manager sshd[15722]: Invalid user SYSTEM from 141.98.81.37 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["CC2.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:40:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"22","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 05:40:36 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 40.220.102.15 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["PI1.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:37:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"3527","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 17:37:58 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.75.196.15 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:10:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3527"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 16:10:13 wazuh-manager sshd[5330]: Failed password for suricata from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":6,"tsc":["CC3.4"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:52:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 21:52:01 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 16.4.20.20 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC1.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:48:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 03:48:57 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 134.87.21.47 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["P4.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 21:13:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 21:13:20 wazuh-manager sshd[5330]: Failed password for Administrators from 16.4.20.20 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["P5.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:48:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"8905","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 03:48:56 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 134.87.21.47 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P6.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:13:24","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"Administrators","uid":"37","euid":"20","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 03:13:24 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=37 euid=20 tty=ssh ruser= rhost=54.10.24.5 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["P6.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:48:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"3475","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 10:48:46 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.124.37.241 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["A1.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:24:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 20:24:07 wazuh-manager sshd[15722]: Invalid user SYSTEM from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":48,"firedtimes":10,"tsc":["PI1.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:19:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 17:19:24 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 45.75.196.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["PI1.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:59:22","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"root","uid":"48","euid":"25","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 17:59:22 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=48 euid=25 tty=ssh ruser= rhost=40.220.102.15 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["CC3.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:35:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 20:35:36 wazuh-manager sshd[15724]: Invalid user Administrators from 54.10.24.5 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["CC6.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 07:31:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3475","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 07:31:01 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 40.220.102.15 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":8,"tsc":["CC1.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:07:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 23:07:20 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 187.80.4.18 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC5.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:24:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 18:24:17 wazuh-manager sshd[15724]: Invalid user ec2-user from 16.4.20.20 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["P6.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:17:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 04:17:19 wazuh-manager sshd[15722]: Invalid user Administrators from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["CC3.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 09:41:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 09:41:20 wazuh-manager sshd[5330]: Failed password for root from 45.75.196.15 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC9.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:44:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"26874","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 02:44:55 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 45.75.196.15 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["C1.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:11:29","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"NETWORK Service","uid":"3","euid":"4","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 09:11:29 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=3 euid=4 tty=ssh ruser= rhost=134.87.21.47 user=NETWORK Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":32,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":10,"tsc":["CC3.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:15:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 03:15:20 wazuh-manager sshd[5413]: Failed password for invalid user root from 16.4.20.20 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["P4.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:35:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 16:35:21 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 45.75.196.15 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":13,"tsc":["CC1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:59:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 06:59:35 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 141.98.81.37 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC1.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:16:37","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"root","uid":"43","euid":"9","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 06:16:37 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=43 euid=9 tty=ssh ruser= rhost=54.10.24.5 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["PI1.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 17:23:42","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 17:23:42 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC1.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 03:36:06","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 03:36:06 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":9,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":15,"tsc":["P7.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:45:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 07:45:51 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["P4.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:49:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 03:49:10 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 54.10.24.5 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["CC3.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:28:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"22","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 04:28:04 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 16.4.20.20 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":3,"tsc":["CC2.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:33:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 12:33:53 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 134.87.21.47 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P6.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:47:05","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"ec2-user","uid":"48","euid":"43","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 09:47:05 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=48 euid=43 tty=ssh ruser= rhost=187.80.4.18 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["A1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:40:40","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"Administrators","uid":"10","euid":"39","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 18:40:40 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=10 euid=39 tty=ssh ruser= rhost=54.10.24.5 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["CC1.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:18:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 05:18:35 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 134.87.21.47 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC6.8"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:36:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"26874","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 12:36:10 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 187.80.4.18 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC7.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:59:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"22","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 07:59:10 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 45.75.196.15 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["P7.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:03:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"7854","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 03:03:59 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.75.196.15 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":38,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":2,"tsc":["CC6.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:55:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 14:55:53 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 134.87.21.47 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P6.6"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 01 10:38:47","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 10:38:47 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":30,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["CC5.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:52:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 23:52:55 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 16.4.20.20 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["P6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:03:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 14:03:05 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["P5.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:57:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 15:57:42 wazuh-manager sshd[15722]: Invalid user Administrators from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC7.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:48:03","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"SYSTEM","uid":"26","euid":"46","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 21:48:03 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=26 euid=46 tty=ssh ruser= rhost=16.4.20.20 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["P2.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 04:18:06","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"SYSTEM","uid":"18","euid":"9","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 04:18:06 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=18 euid=9 tty=ssh ruser= rhost=54.10.24.5 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["P6.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:59:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"8905","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 01:59:21 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 40.220.102.15 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":6,"tsc":["P5.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:54:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 17:54:09 wazuh-manager sshd[15724]: Invalid user root from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:53:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"2222","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 04:53:58 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.75.196.15 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P2.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 01:25:45","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 01:25:45 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P4.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:18:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"7558","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 20:18:53 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 141.98.81.37 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["CC6.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:07:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"7854","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 03:07:43 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 141.98.81.37 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:04:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"8905","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 17:04:01 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 40.220.102.15 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["P1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:31:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"4547","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 02:31:34 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 141.98.81.37 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC6.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:05:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 19:05:11 wazuh-manager sshd[15724]: Invalid user suricata from 134.87.21.47 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["PI1.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:43:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 21:43:53 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 45.124.37.241 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["CC6.8"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:20:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 03:20:39 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 134.87.21.47 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["CC2.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:34:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 10:34:47 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 54.10.24.5 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC3.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:13:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"8905","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 15:13:31 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 40.220.102.15 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["CC9.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:48:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 18:48:49 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["P7.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:22:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 09:22:10 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 45.75.196.15 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":27,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["C1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:00:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 17:00:12 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 141.98.81.37 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["CC6.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 16:23:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"7558","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 16:23:02 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 134.87.21.47 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":3,"tsc":["P4.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:09:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 20:09:16 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 16.4.20.20 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P8.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:59:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"3014","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 02:59:50 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 54.10.24.5 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P7.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:37:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"4547","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 00:37:15 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 45.75.196.15 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":50,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["P2.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 21:45:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 21:45:53 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 40.220.102.15 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":44,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["P5.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:02:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 10:02:31 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 40.220.102.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC7.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:52:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"26874"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 12:52:37 wazuh-manager sshd[5330]: Failed password for suricata from 45.124.37.241 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC1.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 08:20:51","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 08:20:51 wazuh-manager unix_chkpwd[29593]: password check failed for user (LOCAL Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["P4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:08:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 19:08:03 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 45.124.37.241 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":13,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":6,"tsc":["CC6.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:06:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 09:06:32 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 134.87.21.47 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":37,"firedtimes":7,"tsc":["CC5.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:54:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"7558","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 04:54:11 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["P3.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:35:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"22","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 17:35:03 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.124.37.241 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":9,"tsc":["PI1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 05:43:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 05:43:46 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 187.80.4.18 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":9,"firedtimes":11,"tsc":["CC6.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 00:05:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"3014","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 00:05:20 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 40.220.102.15 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["PI1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:15:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 14:15:08 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["C1.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 14:34:59","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 14:34:59 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["P2.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 20:59:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"2222","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 20:59:38 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 16.4.20.20 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":24,"firedtimes":10,"tsc":["P4.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:14:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 14:14:30 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 141.98.81.37 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P6.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 16:50:31","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 16:50:31 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["P4.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:29:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 09:29:42 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 45.124.37.241 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:35:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"22","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 10:35:38 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 40.220.102.15 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["C1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:17:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"4277"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 11:17:51 wazuh-manager sshd[5330]: Failed password for suricata from 45.75.196.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["CC9.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:53:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 19:53:58 wazuh-manager sshd[15722]: Invalid user suricata from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["CC4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:13:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 03:13:25 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 134.87.21.47 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P4.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 21:55:54","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 21:55:54 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC6.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 13:55:29","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 13:55:29 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P2.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 18:09:23","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"wazuh","uid":"8","euid":"4","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 18:09:23 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=8 euid=4 tty=ssh ruser= rhost=16.4.20.20 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["P6.6"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:11:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 04:11:57 wazuh-manager sshd[15724]: Invalid user root from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["P3.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 05:15:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"8905","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 08 05:15:29 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 141.98.81.37 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["P1.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 17:19:50","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 17:19:50 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["CC5.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 11:32:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 11:32:20 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 134.87.21.47 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":2,"tsc":["P5.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:33:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 14:33:19 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 54.10.24.5 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["CC6.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:29:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"4277","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 00:29:38 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 40.220.102.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["PI1.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:14:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"2222","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 19:14:02 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 45.124.37.241 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC3.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:58:04","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"root","uid":"8","euid":"49","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 09:58:04 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=8 euid=49 tty=ssh ruser= rhost=141.98.81.37 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["P7.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 19:34:20","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 19:34:20 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["P6.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:25:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"7558","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 16:25:43 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 45.75.196.15 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["A1.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:57:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 11:57:10 wazuh-manager sshd[15724]: Invalid user root from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC1.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:21:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 00:21:55 wazuh-manager sshd[5330]: Failed password for ec2-user from 187.80.4.18 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["P4.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:26:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 02:26:08 wazuh-manager sshd[5330]: Failed password for ec2-user from 16.4.20.20 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":5,"firedtimes":9,"tsc":["CC4.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:25:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 12:25:18 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 45.124.37.241 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC6.6"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:18:09","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"Administrators","uid":"37","euid":"10","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 07:18:09 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=37 euid=10 tty=ssh ruser= rhost=141.98.81.37 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["PI1.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:39:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"26874","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 11:39:06 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 40.220.102.15 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P3.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 14:20:06","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 14:20:06 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":13,"tsc":["CC2.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:28:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 20:28:14 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 54.10.24.5 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":8,"tsc":["P3.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:07:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"7854","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 03:07:54 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 40.220.102.15 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["PI1.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:17:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"7558","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 21:17:18 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 141.98.81.37 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["CC6.8"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:43:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"3527","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 07:43:55 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 16.4.20.20 port 3527 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["P6.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:43:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 21:43:18 wazuh-manager sshd[15724]: Invalid user wazuh from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["CC2.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:17:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 19:17:45 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 40.220.102.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["C1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:56:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"3014","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 00:56:55 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 187.80.4.18 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":37,"firedtimes":4,"tsc":["CC6.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:01:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 23:01:18 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 54.10.24.5 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":28,"firedtimes":5,"tsc":["CC3.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:31:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 13:31:12 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 134.87.21.47 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["PI1.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:39:43","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"ec2-user","uid":"15","euid":"19","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 11:39:43 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=15 euid=19 tty=ssh ruser= rhost=16.4.20.20 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["PI1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:13:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"8905","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 12:13:16 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 16.4.20.20 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["C1.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:55:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"4277"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 15:55:13 wazuh-manager sshd[5330]: Failed password for root from 134.87.21.47 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC8.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:14:36","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"wazuh","uid":"10","euid":"36","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 22:14:36 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=10 euid=36 tty=ssh ruser= rhost=54.10.24.5 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC1.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 01 19:39:31","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 19:39:31 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["PI1.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 02:10:09","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 02:10:09 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["CC1.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 16:17:30","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 16:17:30 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["CC4.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 21:11:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 21:11:58 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 16.4.20.20 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":49,"firedtimes":10,"tsc":["C1.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:01:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 14:01:44 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["P6.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:39:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 06:39:03 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 134.87.21.47 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["CC2.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 09:21:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 09:21:17 wazuh-manager sshd[15722]: Invalid user root from 40.220.102.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":6,"tsc":["CC7.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:24:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 02:24:07 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 40.220.102.15 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["A1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 02 04:24:03","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 04:24:03 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["CC2.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 08 07:17:17","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 07:17:17 wazuh-manager unix_chkpwd[29593]: password check failed for user (suricata)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC3.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:20:12","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"ec2-user","uid":"39","euid":"34","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 03:20:12 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=39 euid=34 tty=ssh ruser= rhost=187.80.4.18 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["P8.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:05:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 09:05:55 wazuh-manager sshd[15722]: Invalid user Administrators from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":32,"firedtimes":9,"tsc":["P6.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:40:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 10:40:13 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["P4.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:49:03","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"root","uid":"26","euid":"25","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 03:49:03 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=26 euid=25 tty=ssh ruser= rhost=45.75.196.15 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC7.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:41:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 06:41:08 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 16.4.20.20 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["A1.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:01:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"5784","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 20:01:30 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 141.98.81.37 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P5.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:18:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 23:18:39 wazuh-manager sshd[15724]: Invalid user SYSTEM from 16.4.20.20 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["C1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:43:28","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"SYSTEM","uid":"31","euid":"3","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 08:43:28 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=31 euid=3 tty=ssh ruser= rhost=187.80.4.18 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC3.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:16:43","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"NETWORK Service","uid":"21","euid":"50","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 13:16:43 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=21 euid=50 tty=ssh ruser= rhost=45.75.196.15 user=NETWORK Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC4.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:38:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 16:38:59 wazuh-manager sshd[5330]: Failed password for ec2-user from 141.98.81.37 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 22:50:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 22:50:38 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 187.80.4.18 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:24:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 01:24:59 wazuh-manager sshd[15722]: Invalid user suricata from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":31,"firedtimes":12,"tsc":["P1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:46:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"4547","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 13:46:58 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 54.10.24.5 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P7.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:18:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"2222","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 04:18:26 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 16.4.20.20 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC8.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:26:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 07:26:49 wazuh-manager sshd[15724]: Invalid user ec2-user from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["P3.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:36:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"5784","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 12:36:24 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 40.220.102.15 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["CC6.8"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 04:11:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"3475","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 04:11:05 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 54.10.24.5 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC3.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:05:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 21:05:35 wazuh-manager sshd[5330]: Failed password for wazuh from 187.80.4.18 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P1.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 00:38:11","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"LOCAL Service","uid":"39","euid":"23","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 00:38:11 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=39 euid=23 tty=ssh ruser= rhost=45.75.196.15 user=LOCAL Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P7.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:00:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"5784","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 04:00:26 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 54.10.24.5 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":6,"tsc":["P4.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:46:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 06:46:47 wazuh-manager sshd[10022]: Invalid user root from root from 134.87.21.47 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":6,"tsc":["P7.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:27:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 01:27:58 wazuh-manager sshd[15722]: Invalid user Administrators from 40.220.102.15 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC6.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:22:45","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"suricata","uid":"41","euid":"48","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 12:22:45 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=41 euid=48 tty=ssh ruser= rhost=187.80.4.18 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC1.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:18:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 19:18:50 wazuh-manager sshd[15724]: Invalid user wazuh from 45.124.37.241 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC3.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 22:23:41","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 22:23:41 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 03:42:01","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 03:42:01 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P5.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 15:40:24","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 15:40:24 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P4.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:20:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"3475","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 12:20:11 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 187.80.4.18 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["P6.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:42:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"26874","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 21:42:15 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 134.87.21.47 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":2,"tsc":["P8.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:38:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 05:38:16 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 54.10.24.5 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["P4.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 08:52:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 08:52:08 wazuh-manager sshd[15724]: Invalid user ec2-user from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P3.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:54:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"4277","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 11:54:42 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.75.196.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["P4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:29:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 14:29:20 wazuh-manager sshd[15724]: Invalid user Administrators from 45.75.196.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P3.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 17:30:37","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 17:30:37 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":15,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["P6.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:25:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 21:25:08 wazuh-manager sshd[5413]: Failed password for invalid user root from 187.80.4.18 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["P8.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:07:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"3014","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 23:07:12 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 45.75.196.15 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["P6.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:43:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 16:43:43 wazuh-manager sshd[5330]: Failed password for Administrators from 45.124.37.241 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":14,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":8,"tsc":["CC9.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:55:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 17:55:15 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 141.98.81.37 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["CC9.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 08:41:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"7854","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 08:41:09 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.124.37.241 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:29:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 10:29:30 wazuh-manager sshd[5330]: Failed password for SYSTEM from 40.220.102.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC7.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 17:05:49","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 17:05:49 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["P6.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:20:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 22:20:06 wazuh-manager sshd[5330]: Failed password for wazuh from 54.10.24.5 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["P1.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 15:17:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4277","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 15:17:55 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 16.4.20.20 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":13,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":8,"tsc":["P4.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:31:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 08:31:35 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 141.98.81.37 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["P1.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 00:37:38","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 00:37:38 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":6,"tsc":["A1.3"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:13:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 01:13:15 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 54.10.24.5 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["P6.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:35:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"4547","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 03:35:01 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 40.220.102.15 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P6.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 06:39:37","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 06:39:37 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["P4.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:52:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 22:52:33 wazuh-manager sshd[15724]: Invalid user ec2-user from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["CC1.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:03:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"7558","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 09:03:25 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.124.37.241 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P4.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 08:35:57","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 08:35:57 wazuh-manager unix_chkpwd[29593]: password check failed for user (LOCAL Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC4.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:22:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 10:22:51 wazuh-manager sshd[15724]: Invalid user suricata from 40.220.102.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P6.6"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 08:31:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 08:31:10 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["P4.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:03:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 22:03:29 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 134.87.21.47 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["PI1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:47:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 09:47:17 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 187.80.4.18 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["CC9.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:46:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 15:46:52 wazuh-manager sshd[15724]: Invalid user Administrators from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["CC6.6"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:37:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"7854","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 11:37:03 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.75.196.15 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["A1.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:27:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"4277","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 02:27:18 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.124.37.241 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["PI1.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:40:33","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"SYSTEM","uid":"37","euid":"35","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 03:40:33 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=37 euid=35 tty=ssh ruser= rhost=16.4.20.20 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["P6.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:14:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"26874","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 17:14:28 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 54.10.24.5 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["P6.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:27:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"4277","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 15:27:04 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.75.196.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":4,"tsc":["P6.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:53:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 11:53:34 wazuh-manager sshd[15722]: Invalid user ec2-user from 141.98.81.37 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["PI1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:59:08","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"wazuh","uid":"32","euid":"18","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 06:59:08 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=32 euid=18 tty=ssh ruser= rhost=45.75.196.15 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":7,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["CC6.8"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:28:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 13:28:02 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 45.75.196.15 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC6.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:17:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 15:17:38 wazuh-manager sshd[15722]: Invalid user NETWORK Service from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC3.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:05:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 12:05:11 wazuh-manager sshd[15724]: Invalid user suricata from 134.87.21.47 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["CC6.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:57:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 11:57:37 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 40.220.102.15 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["P7.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:19:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4547","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 21:19:52 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 16.4.20.20 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P6.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 13:33:49","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 13:33:49 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["CC7.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:45:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 11:45:53 wazuh-manager sshd[15724]: Invalid user wazuh from 45.124.37.241 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["P7.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:56:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 17:56:41 wazuh-manager sshd[15722]: Invalid user Administrators from 134.87.21.47 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["P4.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:00:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 12:00:16 wazuh-manager sshd[15722]: Invalid user ec2-user from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["CC2.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 23:30:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 23:30:57 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":5,"tsc":["A1.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:15:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 18:15:48 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 45.75.196.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P6.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:29:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 08:29:25 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC8.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:01:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 10:01:54 wazuh-manager sshd[5330]: Failed password for wazuh from 187.80.4.18 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P6.6"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 08 07:02:15","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 07:02:15 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["PI1.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:19:58","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"SYSTEM","uid":"16","euid":"1","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 08:19:58 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=16 euid=1 tty=ssh ruser= rhost=54.10.24.5 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["CC1.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:58:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"3475","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 04:58:09 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.75.196.15 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["P3.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:39:02","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"suricata","uid":"0","euid":"41","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 04:39:02 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=41 tty=ssh ruser= rhost=141.98.81.37 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC2.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:07:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 13:07:48 wazuh-manager sshd[5330]: Failed password for ec2-user from 141.98.81.37 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":37,"firedtimes":14,"tsc":["PI1.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:31:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"22","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 06:31:11 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 54.10.24.5 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":6,"tsc":["P7.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:40:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 07:40:43 wazuh-manager sshd[15724]: Invalid user suricata from 16.4.20.20 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["CC3.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:22:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"26874","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 17:22:26 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.75.196.15 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["CC6.8"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:38:36","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"wazuh","uid":"28","euid":"31","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 16:38:36 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=28 euid=31 tty=ssh ruser= rhost=40.220.102.15 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P7.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 07:56:52","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 07:56:52 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["P6.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 18:37:07","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"wazuh","uid":"47","euid":"21","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 18:37:07 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=47 euid=21 tty=ssh ruser= rhost=16.4.20.20 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":12,"tsc":["CC1.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:29:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 02:29:42 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 134.87.21.47 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":23,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["P3.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:49:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 21:49:27 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 40.220.102.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC6.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:42:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"2222","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 10:42:21 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 134.87.21.47 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["CC1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:49:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 07:49:28 wazuh-manager sshd[15724]: Invalid user wazuh from 45.124.37.241 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["P6.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:06:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"8905","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 19:06:15 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 45.75.196.15 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 10:43:16","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 10:43:16 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["CC6.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:56:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"26874","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 10:56:21 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 141.98.81.37 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["A1.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:33:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 20:33:35 wazuh-manager sshd[15722]: Invalid user suricata from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["P6.6"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:25:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"5784","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 06:25:14 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 45.75.196.15 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC7.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:36:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 17:36:31 wazuh-manager sshd[5330]: Failed password for LOCAL Service from 16.4.20.20 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC3.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:51:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 04:51:39 wazuh-manager sshd[5330]: Failed password for ec2-user from 54.10.24.5 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC1.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:31:43","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"Administrators","uid":"28","euid":"38","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 17:31:43 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=28 euid=38 tty=ssh ruser= rhost=45.75.196.15 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":8,"tsc":["CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:10:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 09:10:35 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 45.75.196.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC5.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:22:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 15:22:24 wazuh-manager sshd[15724]: Invalid user Administrators from 45.124.37.241 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC2.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 07:06:12","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 07:06:12 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":9,"firedtimes":4,"tsc":["CC6.8"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 09:48:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 09:48:17 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 134.87.21.47 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["CC6.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:16:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"7558","dstuser":"suricata"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 06:16:00 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for suricata from 134.87.21.47 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["P2.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:46:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"4547","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 00:46:24 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 141.98.81.37 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["P6.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:01:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 19:01:11 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 16.4.20.20 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["P1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:09:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcport":"7558","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 07:09:56 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 54.10.24.5 port 7558 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["CC1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 09:46:02","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 09:46:02 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["P6.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:28:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 16:28:39 wazuh-manager sshd[15724]: Invalid user root from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":24,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":11,"tsc":["PI1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:53:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 01:53:41 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 54.10.24.5 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":13,"tsc":["P4.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:26:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 07:26:46 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 40.220.102.15 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["CC3.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:27:42","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.124.37.241","dstuser":"root","uid":"24","euid":"13","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 09:27:42 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=24 euid=13 tty=ssh ruser= rhost=45.124.37.241 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":39,"firedtimes":6,"tsc":["P6.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:12:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"3527","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 09:12:50 wazuh-manager sshd[5413]: Failed password for invalid user root from 40.220.102.15 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":9,"tsc":["P2.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:33:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"7854","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 03:33:43 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 45.124.37.241 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["CC6.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:44:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 08 01:44:39 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 16.4.20.20 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["P7.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:09:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 02:09:39 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 45.75.196.15 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":37,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":11,"tsc":["CC2.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:31:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 01:31:10 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 45.124.37.241 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":10,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":9,"tsc":["CC1.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 15:54:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 15:54:36 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.124.37.241 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P6.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:44:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"4547","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 14:44:34 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 141.98.81.37 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC3.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:44:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"4277","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 14:44:11 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 134.87.21.47 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["CC5.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:40:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"4277","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 18:40:53 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 40.220.102.15 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":19,"firedtimes":15,"tsc":["CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:57:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"4547","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 08 00:57:25 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 45.124.37.241 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["CC7.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:47:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"8905","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 04:47:52 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 134.87.21.47 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P3.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:14:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 13:14:33 wazuh-manager sshd[15722]: Invalid user suricata from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["CC3.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:41:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"4547","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 03:41:24 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 134.87.21.47 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":39,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":2,"tsc":["CC9.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:51:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 01:51:54 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 187.80.4.18 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["CC3.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 19:17:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 19:17:55 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 141.98.81.37 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":36,"firedtimes":4,"tsc":["CC2.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:39:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 18:39:57 wazuh-manager sshd[5413]: Failed password for invalid user root from 45.75.196.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC4.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:15:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 08 00:15:51 wazuh-manager sshd[5330]: Failed password for Administrators from 40.220.102.15 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":21,"firedtimes":14,"tsc":["CC5.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 21:51:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 21:51:30 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 45.124.37.241 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["CC7.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:18:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 18:18:05 wazuh-manager sshd[15724]: Invalid user NETWORK Service from 134.87.21.47 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":29,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":13,"tsc":["PI1.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 05:27:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 05:27:35 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 45.75.196.15 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["P6.6"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 20:13:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"5784","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 20:13:38 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.75.196.15 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["CC1.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:53:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 04:53:37 wazuh-manager sshd[15724]: Invalid user wazuh from 45.124.37.241 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC1.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:03:46","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"SYSTEM","uid":"37","euid":"11","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 09:03:46 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=37 euid=11 tty=ssh ruser= rhost=54.10.24.5 user=SYSTEM"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["P6.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:18:48","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"54.10.24.5","dstuser":"wazuh","uid":"40","euid":"43","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 03:18:48 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=40 euid=43 tty=ssh ruser= rhost=54.10.24.5 user=wazuh"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":6,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":10,"tsc":["P7.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:56:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 12:56:34 wazuh-manager sshd[5413]: Failed password for invalid user suricata from 40.220.102.15 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["PI1.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:47:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"5784","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 00:47:30 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 187.80.4.18 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["P7.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:36:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"8905","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 13:36:33 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 45.124.37.241 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC4.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 05:55:04","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 05:55:04 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":9,"tsc":["CC9.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:58:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 19:58:06 wazuh-manager sshd[10022]: Invalid user root from root from 16.4.20.20 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["P1.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:03:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 15:03:52 wazuh-manager sshd[15724]: Invalid user NETWORK Service from 45.75.196.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["P7.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:23:49","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"suricata","uid":"49","euid":"49","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 11:23:49 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=49 euid=49 tty=ssh ruser= rhost=16.4.20.20 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":5,"tsc":["CC7.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:32:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"8905","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 08:32:37 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 45.75.196.15 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":46,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":8,"tsc":["CC1.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:59:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 13:59:36 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 16.4.20.20 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["C1.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 05 11:31:30","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 11:31:30 wazuh-manager unix_chkpwd[29593]: password check failed for user (LOCAL Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC6.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 16:14:04","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 16:14:04 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P8.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:24:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 23:24:52 wazuh-manager sshd[5330]: Failed password for Administrators from 40.220.102.15 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC6.6"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:36:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 10:36:04 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 40.220.102.15 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":4,"tsc":["CC1.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:45:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 02:45:02 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 187.80.4.18 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P2.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 02:46:24","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 02:46:24 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":9,"tsc":["CC1.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:30:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 01:30:12 wazuh-manager sshd[10022]: Invalid user Administrators from Administrators from 54.10.24.5 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC6.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:35:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 10:35:08 wazuh-manager sshd[5330]: Failed password for suricata from 141.98.81.37 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":13,"tsc":["P3.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:10:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 06:10:35 wazuh-manager sshd[10022]: Invalid user ec2-user from ec2-user from 40.220.102.15 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":15,"tsc":["P8.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:53:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 15:53:07 wazuh-manager sshd[5330]: Failed password for root from 187.80.4.18 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["CC1.4"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:20:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"55047","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 13:20:06 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 141.98.81.37 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC8.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:46:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 02:46:55 wazuh-manager sshd[5330]: Failed password for wazuh from 187.80.4.18 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P6.6"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 17:57:57","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 17:57:57 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["P6.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:00:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 18:00:08 wazuh-manager sshd[5330]: Failed password for SYSTEM from 141.98.81.37 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":13,"tsc":["P8.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 21:36:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 21:36:47 wazuh-manager sshd[10022]: Invalid user LOCAL Service from LOCAL Service from 134.87.21.47 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["PI1.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:31:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"3475","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 05:31:36 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 45.75.196.15 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC1.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 11:20:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 11:20:02 wazuh-manager sshd[15722]: Invalid user root from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC9.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 22:07:47","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 22:07:47 wazuh-manager unix_chkpwd[29593]: password check failed for user (NETWORK Service)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["CC5.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 08 08:39:58","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 08:39:58 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["A1.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:44:11","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"134.87.21.47","dstuser":"Administrators","uid":"14","euid":"25","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 19:44:11 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=14 euid=25 tty=ssh ruser= rhost=134.87.21.47 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P7.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:41:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 16:41:05 wazuh-manager sshd[5330]: Failed password for wazuh from 187.80.4.18 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":10,"tsc":["CC7.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:02:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"4547","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 08 04:02:30 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 16.4.20.20 port 4547 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":31,"firedtimes":8,"tsc":["CC6.8"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:47:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"8905","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 22:47:45 wazuh-manager sshd[5413]: Failed password for invalid user root from 16.4.20.20 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":11,"firedtimes":15,"tsc":["CC1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 05:39:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"5784","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 05:39:48 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 54.10.24.5 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P6.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:24:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 03:24:14 wazuh-manager sshd[15722]: Invalid user root from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["P4.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:07:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 12:07:34 wazuh-manager sshd[15724]: Invalid user ec2-user from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":37,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":12,"tsc":["P8.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:12:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 16:12:11 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 45.124.37.241 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 01 16:55:29","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 16:55:29 wazuh-manager unix_chkpwd[29593]: password check failed for user (ec2-user)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":8,"firedtimes":13,"tsc":["P4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:27:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"5784","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 14:27:13 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 54.10.24.5 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC3.4"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:55:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 04:55:40 wazuh-manager sshd[5330]: Failed password for Administrators from 16.4.20.20 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["CC7.5"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:13:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 20:13:25 wazuh-manager sshd[15724]: Invalid user suricata from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":9,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":7,"tsc":["P1.0"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:14:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 09:14:30 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 40.220.102.15 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["P3.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 01:51:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 01:51:13 wazuh-manager sshd[15722]: Invalid user SYSTEM from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":6,"tsc":["CC1.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:29:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 20:29:29 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 45.75.196.15 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":48,"firedtimes":3,"tsc":["CC1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:31:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3527","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 11:31:38 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 54.10.24.5 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["CC6.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:21:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"5784","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 04:21:27 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 134.87.21.47 port 5784 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":26,"firedtimes":12,"tsc":["CC6.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:12:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"5784","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 21:12:26 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 54.10.24.5 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["CC6.4"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 06:56:05","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 06:56:05 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P7.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 00:50:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 00:50:22 wazuh-manager sshd[15722]: Invalid user SYSTEM from 141.98.81.37 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":6,"tsc":["P6.6"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:38:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 15:38:00 wazuh-manager sshd[15724]: Invalid user suricata from 45.124.37.241 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":15,"tsc":["PI1.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:30:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 00:30:16 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 141.98.81.37 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":13,"tsc":["P8.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:11:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 12:11:21 wazuh-manager sshd[15722]: Invalid user root from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":37,"firedtimes":3,"tsc":["A1.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:29:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"3014","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 04:29:00 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 134.87.21.47 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":50,"firedtimes":15,"tsc":["CC2.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:19:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"4277","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 09:19:19 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 16.4.20.20 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC2.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:39:08","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"LOCAL Service","uid":"43","euid":"7","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 07:39:08 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=43 euid=7 tty=ssh ruser= rhost=45.75.196.15 user=LOCAL Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["CC8.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:47:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"22","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 00:47:28 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 40.220.102.15 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":11,"tsc":["CC3.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:32:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 17:32:09 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 134.87.21.47 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["CC4.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:11:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 06:11:18 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 45.124.37.241 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P5.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:29:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 00:29:31 wazuh-manager sshd[15724]: Invalid user SYSTEM from 54.10.24.5 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":28,"firedtimes":2,"tsc":["P1.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 08:41:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"7854","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 08:41:44 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 141.98.81.37 port 7854 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P3.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 07 13:50:42","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 13:50:42 wazuh-manager unix_chkpwd[29593]: password check failed for user (Administrators)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":41,"firedtimes":2,"tsc":["CC2.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:22:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 18:22:23 wazuh-manager sshd[5413]: Failed password for invalid user wazuh from 141.98.81.37 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":9,"tsc":["PI1.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 15:21:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 15:21:12 wazuh-manager sshd[10022]: Invalid user suricata from suricata from 16.4.20.20 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC8.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:12:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 20:12:33 wazuh-manager sshd[5330]: Failed password for NETWORK Service from 16.4.20.20 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":5,"tsc":["P6.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 04:59:12","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 04:59:12 wazuh-manager unix_chkpwd[29593]: password check failed for user (root)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P5.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 22:03:40","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"suricata","uid":"4","euid":"34","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 22:03:40 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=4 euid=34 tty=ssh ruser= rhost=40.220.102.15 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["CC6.8"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 22:01:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcport":"8905","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 22:01:55 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 16.4.20.20 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["CC1.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:12:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 15:12:50 wazuh-manager sshd[15722]: Invalid user SYSTEM from 187.80.4.18 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":13,"tsc":["CC6.5"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:37:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 02:37:18 wazuh-manager sshd[5330]: Failed password for root from 187.80.4.18 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":5,"tsc":["CC4.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:16:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 00:16:12 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 40.220.102.15 port 3014 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:14:59","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.124.37.241","dstuser":"ec2-user","uid":"37","euid":"10","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 08 03:14:59 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=37 euid=10 tty=ssh ruser= rhost=45.124.37.241 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["A1.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 14:08:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 14:08:53 wazuh-manager sshd[15722]: Invalid user root from 134.87.21.47 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":12,"tsc":["P4.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:38:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"4277","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 05:38:13 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 141.98.81.37 port 4277 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":12,"tsc":["P1.0"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:20:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 23:20:54 wazuh-manager sshd[15722]: Invalid user LOCAL Service from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":9,"tsc":["P6.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:58:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 16:58:29 wazuh-manager sshd[5330]: Failed password for SYSTEM from 40.220.102.15 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P7.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:27:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"2222","dstuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 02:27:08 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for wazuh from 40.220.102.15 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":7,"firedtimes":7,"tsc":["P4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:00:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"55047","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 08 03:00:31 wazuh-manager sshd[5413]: Failed password for invalid user root from 187.80.4.18 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["P7.0"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:58:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 07:58:14 wazuh-manager sshd[5330]: Failed password for wazuh from 141.98.81.37 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":26,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":5,"tsc":["CC2.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:30:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 14:30:03 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 187.80.4.18 port 55047 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":9,"firedtimes":3,"tsc":["P5.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:39:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"2222","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 04:39:03 wazuh-manager sshd[5413]: Failed password for invalid user ec2-user from 54.10.24.5 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":30,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":9,"tsc":["CC5.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 22:38:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 22:38:42 wazuh-manager sshd[5413]: Failed password for invalid user root from 54.10.24.5 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":16,"firedtimes":11,"tsc":["P8.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:41:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"5784","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 09:41:42 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 45.124.37.241 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":4,"tsc":["P7.0"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:40:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"22","dstuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 13:40:27 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for SYSTEM from 141.98.81.37 port 22 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["CC6.4"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:38:28","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"NETWORK Service","uid":"12","euid":"6","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 02:38:28 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=12 euid=6 tty=ssh ruser= rhost=45.75.196.15 user=NETWORK Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":28,"firedtimes":6,"tsc":["CC3.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:43:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"8905","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 11:43:05 wazuh-manager sshd[5413]: Failed password for invalid user LOCAL Service from 54.10.24.5 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["CC1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 05:47:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 05:47:13 wazuh-manager sshd[5330]: Failed password for ec2-user from 54.10.24.5 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["CC6.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 21:14:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 21:14:03 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 187.80.4.18 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["A1.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:19:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 15:19:23 wazuh-manager sshd[15722]: Invalid user ec2-user from 45.75.196.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":3,"tsc":["CC6.8"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 05:53:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 08 05:53:42 wazuh-manager sshd[15724]: Invalid user ec2-user from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":40,"firedtimes":11,"tsc":["CC9.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:09:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"22","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 03:09:38 wazuh-manager sshd[5413]: Failed password for invalid user SYSTEM from 45.75.196.15 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["CC4.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:58:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 02:58:26 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 187.80.4.18 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":9,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":14,"tsc":["CC1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:27:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 04:27:34 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 134.87.21.47 port 26874 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":11,"tsc":["P6.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:42:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 12:42:11 wazuh-manager sshd[10022]: Invalid user SYSTEM from SYSTEM from 45.75.196.15 port 3527 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P4.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:45:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"3014","dstuser":"LOCAL Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 17:45:03 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for LOCAL Service from 45.124.37.241 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":7,"tsc":["P4.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:33:37","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"40.220.102.15","dstuser":"suricata","uid":"44","euid":"18","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 01:33:37 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=44 euid=18 tty=ssh ruser= rhost=40.220.102.15 user=suricata"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":37,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":10,"tsc":["P8.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:38:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 12:38:28 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 134.87.21.47 port 8905 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":7,"tsc":["CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:27:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 12:27:25 wazuh-manager sshd[15722]: Invalid user SYSTEM from 141.98.81.37 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["CC5.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 11:35:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 11:35:41 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["CC6.5"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:33:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 21:33:06 wazuh-manager sshd[15724]: Invalid user LOCAL Service from 45.75.196.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":14,"tsc":["P7.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:24:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 05:24:41 wazuh-manager sshd[15722]: Invalid user suricata from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":11,"tsc":["P6.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 21:33:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 21:33:13 wazuh-manager sshd[15722]: Invalid user suricata from 16.4.20.20 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":8,"tsc":["CC8.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:12:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 07:12:25 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 187.80.4.18 port 7558 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":10,"tsc":["P5.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:09:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 14:09:05 wazuh-manager sshd[15722]: Invalid user suricata from 54.10.24.5 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":2,"tsc":["CC1.5"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:39:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 17:39:27 wazuh-manager sshd[15722]: Invalid user ec2-user from 187.80.4.18 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":26,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":6,"tsc":["CC1.3"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:47:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 19:47:19 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 187.80.4.18 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":8,"tsc":["PI1.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:56:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 08:56:04 wazuh-manager sshd[15724]: Invalid user wazuh from 134.87.21.47 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":15,"tsc":["A1.3"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:15:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"26874","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 19:15:47 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 187.80.4.18 port 26874 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":14,"firedtimes":13,"tsc":["P8.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:16:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3475","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 07:16:53 wazuh-manager sshd[5413]: Failed password for invalid user NETWORK Service from 40.220.102.15 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":3,"tsc":["P4.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:12:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcport":"3014","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 17:12:43 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 45.75.196.15 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["CC3.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:22:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcport":"55047","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 11:22:07 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 141.98.81.37 port 55047 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":4,"tsc":["P5.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:40:20","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"187.80.4.18","dstuser":"Administrators","uid":"8","euid":"13","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 15:40:20 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=8 euid=13 tty=ssh ruser= rhost=187.80.4.18 user=Administrators"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":10,"tsc":["CC6.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 06 07:12:49","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 07:12:49 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P7.0"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 04 19:53:26","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 19:53:26 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":12,"tsc":["CC2.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:43:06","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"root","uid":"48","euid":"41","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 16:43:06 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=48 euid=41 tty=ssh ruser= rhost=141.98.81.37 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: authentication failed.","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5716,"level":5,"mail":false,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["CC2.3"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:07:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/auth.log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 10:07:09 wazuh-manager sshd[5330]: Failed password for wazuh from 45.75.196.15 port 5784 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC2.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 03 18:06:55","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"wazuh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 18:06:55 wazuh-manager unix_chkpwd[29593]: password check failed for user (wazuh)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":2,"tsc":["CC2.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:32:56","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"root","uid":"8","euid":"26","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 11:32:56 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=8 euid=26 tty=ssh ruser= rhost=45.75.196.15 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":6,"tsc":["A1.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:19:44","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"16.4.20.20","dstuser":"LOCAL Service","uid":"16","euid":"37","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 11:19:44 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=16 euid=37 tty=ssh ruser= rhost=16.4.20.20 user=LOCAL Service"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["CC7.3"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:44:30","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.75.196.15","dstuser":"root","uid":"16","euid":"37","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 03:44:30 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=16 euid=37 tty=ssh ruser= rhost=45.75.196.15 user=root"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":13,"tsc":["CC7.4"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:56:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"3014","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 09:56:06 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 40.220.102.15 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":14,"tsc":["P2.0"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:07:37","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"45.124.37.241","dstuser":"ec2-user","uid":"48","euid":"49","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 03:07:37 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=48 euid=49 tty=ssh ruser= rhost=45.124.37.241 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"unix_chkpwd: Password check failed.","id":"5557","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["4.3"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":8,"tsc":["P6.3"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"unix_chkpwd","timestamp":"Mar 08 00:55:15","hostname":"wazuh-manager"},"decoder":{"name":"unix_chkpwd"},"data":{"srcuser":"SYSTEM"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 00:55:15 wazuh-manager unix_chkpwd[29593]: password check failed for user (SYSTEM)"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":32,"firedtimes":8,"tsc":["PI1.5"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:29:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"22","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 13:29:11 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 141.98.81.37 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":8,"tsc":["P5.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:00:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 03:00:20 wazuh-manager sshd[10022]: Invalid user wazuh from wazuh from 16.4.20.20 port 2222 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":5503,"level":5,"description":"PAM: User login failed.","mail":false,"groups":["pam","syslog","authentication_failed"],"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"firedtimes":3,"tsc":["CC6.5"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:06:35","hostname":"wazuh-manager"},"decoder":{"name":"pam"},"data":{"srcip":"141.98.81.37","dstuser":"ec2-user","uid":"41","euid":"27","tty":"ssh"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 10:06:35 wazuh-manager sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid=41 euid=27 tty=ssh ruser= rhost=141.98.81.37 user=ec2-user"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Multiple authentication failures.","id":5720,"level":10,"frequency":8,"groups":["syslog","sshd","authentication_failures"],"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"firedtimes":15,"tsc":["P1.0"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 10:08:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 10:08:37 wazuh-manager sshd[5413]: Failed password for invalid user root from 134.87.21.47 port 3475 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":6,"tsc":["PI1.4"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:05:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcport":"2222","dstuser":"Administrators"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 13:05:51 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for Administrators from 40.220.102.15 port 2222 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"hipaa":["164.312.b"],"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":"5710","nist_800_53":["AU.14","AC.7","AU.6"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":5,"tsc":["CC9.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:24:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 09:24:49 wazuh-manager sshd[15724]: Invalid user suricata from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":10,"tsc":["CC3.3"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 00:22:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 00:22:43 wazuh-manager sshd[10022]: Invalid user root from root from 54.10.24.5 port 4277 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":11,"tsc":["P8.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:44:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"7854","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 10:44:56 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 45.124.37.241 port 7854 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":14,"tsc":["CC4.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:38:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcport":"8905","dstuser":"NETWORK Service"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 14:38:10 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for NETWORK Service from 134.87.21.47 port 8905 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"Logon Failure - Unknown user or bad password","groups":["windows","windows_security","win_authentication_failed"],"id":60122,"level":5,"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.1","AC.7"],"frequency":9,"firedtimes":8,"tsc":["P6.4"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:08:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"22","win":{"eventdata":{"authenticationPackageName":"NTLM","failureReason":"%%2313","keyLength":0,"logonProcessName":"NtLmSsp","logonType":"3","processId":"0x0","status":"0xc000006d","subStatus":"0xc0000064","subjectLogonId":"0x0","subjectUserSid":"S-1-0-0","targetUserName":"DIRECTION","ipAddress":"45.124.37.241","ipPort":"5784"},"system":{"channel":"Security","keywords":"0x8010000000000000","level":"0","message":"","opcode":"0","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","providerName":"Microsoft-Windows-Security-Auditing","severityValue":"AUDIT_FAILURE","version":"0","computer":"Win_Server_02","eventID":"301","eventRecordID":"34617","processID":"33","systemTime":"2023-03-02T00:08:31.118+0000","task":"1146","threadID":"208"}}},"location":"EventChannel","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 21:08:31 wazuh-manager sshd[5413]: Failed password for invalid user Administrators from 16.4.20.20 port 22 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":7,"tsc":["P1.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:04:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcport":"3014","dstuser":"root"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 17:04:18 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for root from 187.80.4.18 port 3014 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4","10.2.4","10.2.5"],"hipaa":["164.312.b"],"description":"sshd: brute force trying to get access to the system.","groups":["syslog","sshd","authentication_failures"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5712","nist_800_53":["SI.4","AU.14","AC.7"],"frequency":8,"gdpr":["IV_35.7.d","IV_32.2"],"firedtimes":15,"tsc":["CC3.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:57:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 03:57:03 wazuh-manager sshd[15722]: Invalid user root from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"description":"sshd: Attempt to login using a non-existent user","groups":["syslog","sshd","invalid_login","authentication_failed"],"id":5710,"level":5,"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"firedtimes":7,"tsc":["CC7.5"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:33:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 02:33:38 wazuh-manager sshd[10022]: Invalid user NETWORK Service from NETWORK Service from 54.10.24.5 port 4547 ssh2"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"description":"Maximum authentication attempts exceeded.","groups":["syslog","sshd","authentication_failed"],"mitre":{"tactic":["Credential Access","Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1110","T1021"]},"id":"5758","gpg13":["7.1"],"firedtimes":2,"tsc":["P6.5"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:52:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcport":"3475","dstuser":"ec2-user"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 16:52:19 wazuh-manager sshd[19767]: error: maximum authentication attempts exceeded for ec2-user from 45.124.37.241 port 3475 ssh2 [preauth]"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:55:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 01:55:53 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:14:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 05:14:04 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:55:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 03:55:07 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:15:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 15:15:49 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:44:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 16:44:54 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 22:52:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 22:52:16 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 07:29:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 07:29:21 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:38:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 02:38:18 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:23:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 14:23:59 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:22:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 09:22:57 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:48:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 15:48:16 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:50:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 03:50:19 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:36:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 01:36:37 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:44:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 17:44:06 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:36:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 14:36:53 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:35:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 06:35:24 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:39:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 05:39:37 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:05:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 20:05:44 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:43:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 15:43:28 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:10:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 14:10:23 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:10:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 08:10:17 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:38:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 09:38:44 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:51:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 02:51:54 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:17:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 17:17:29 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 04:02:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 04:02:55 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:38:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 00:38:34 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:40:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 11:40:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:47:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 07:47:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:15:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 09:15:44 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:42:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 16:42:53 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:43:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 04:43:45 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:26:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 20:26:28 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 00:07:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 00:07:10 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:52:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 01:52:55 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:46:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 03:46:50 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:27:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 08:27:22 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:25:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 14:25:58 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:49:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 23:49:11 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 00:56:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 00:56:20 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:57:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 19:57:39 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:10:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 22:10:48 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:58:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 12:58:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:35:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 12:35:50 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:57:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 06:57:54 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:28:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 01:28:17 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:25:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 07:25:59 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 22:51:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 22:51:10 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 19:24:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 19:24:26 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:43:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 00:43:05 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:14:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 08:14:32 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:49:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 12:49:28 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:37:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 05:37:06 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:47:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 20:47:31 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:29:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 02:29:03 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:58:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 02:58:43 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 20:27:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 20:27:31 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 11:36:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 11:36:40 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:41:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 12:41:49 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:02:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 16:02:49 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:44:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 02:44:18 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:52:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 17:52:13 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:57:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 04:57:23 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:31:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 19:31:26 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:26:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 20:26:30 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:52:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 03:52:16 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:40:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 01:40:49 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:24:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 16:24:41 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:00:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 07:00:35 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:34:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 22:34:49 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:53:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 14:53:19 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:24:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 16:24:47 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:40:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 21:40:23 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:21:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 14:21:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 05:08:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 05:08:46 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:46:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 06:46:38 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:30:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 23:30:23 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:13:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 11:13:56 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:29:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 13:29:41 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:38:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 06:38:07 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:39:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 23:39:36 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:03:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 03:03:46 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:47:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 08:47:55 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:37:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 03:37:04 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:24:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 19:24:54 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:17:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 17:17:03 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:39:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 22:39:04 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:32:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 21:32:07 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:07:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 20:07:51 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:55:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 16:55:29 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 05:41:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 05:41:05 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:53:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 02:53:50 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:55:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 17:55:36 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:07:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 17:07:44 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:26:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 11:26:25 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:35:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 13:35:27 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:32:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 17:32:21 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:29:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 02:29:18 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:04:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 14:04:54 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:08:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 08 06:08:26 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:43:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 20:43:22 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:39:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 11:39:41 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:52:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 03:52:52 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:31:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 19:31:55 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:56:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 21:56:24 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:59:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 15:59:59 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:25:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 03:25:22 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:32:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 23:32:38 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:20:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 03:20:16 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 19:50:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 19:50:19 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:32:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 20:32:54 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:47:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 15:47:21 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:35:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 15:35:08 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:04:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 21:04:09 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:51:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 14:51:15 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:32:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 15:32:02 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:43:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 11:43:43 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:13:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 13:13:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:58:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 18:58:10 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:43:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 21:43:43 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:46:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 12:46:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:53:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 02:53:29 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:40:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 13:40:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:57:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 07:57:46 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:30:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 09:30:23 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 09:18:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 09:18:53 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 23:42:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 23:42:22 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:07:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 13:07:08 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:14:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 03:14:32 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:28:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 23:28:51 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:46:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 23:46:24 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:33:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 15:33:46 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 08:10:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 08:10:33 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 22:17:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 22:17:08 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:25:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 05:25:12 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:36:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 09:36:52 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 09:12:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 09:12:56 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:47:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 10:47:30 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 23:07:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 23:07:13 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:16:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 12:16:32 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 18:33:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 18:33:28 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:22:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 02:22:11 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:13:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 16:13:14 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:04:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 19:04:28 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:34:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 11:34:12 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:51:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 02:51:12 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:17:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 01:17:53 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:07:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 23:07:13 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:45:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 17:45:45 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:31:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 04:31:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:53:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 01:53:21 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 09:10:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 09:10:21 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:49:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 00:49:50 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:18:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 07:18:23 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:23:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 15:23:57 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:06:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 11:06:34 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:49:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 13:49:06 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:11:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 15:11:44 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:16:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 14:16:27 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:32:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 20:32:38 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:12:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 23:12:48 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:18:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 04:18:58 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 23:02:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 23:02:05 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:39:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 21:39:47 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:30:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 08 02:30:28 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:32:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 01:32:54 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:48:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 10:48:26 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:10:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 23:10:55 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:47:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 03:47:28 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:56:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 21:56:28 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:48:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 09:48:16 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:35:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 03:35:37 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:24:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 11:24:48 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:03:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 20:03:11 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:40:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 05:40:46 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:56:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 07:56:49 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:59:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 23:59:36 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:07:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 19:07:39 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:12:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 21:12:32 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 21:07:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 21:07:01 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:27:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 18:27:10 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:06:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 14:06:39 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:24:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 02:24:04 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:26:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 01:26:50 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:46:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 10:46:26 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:04:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 22:04:01 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:20:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 23:20:08 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:20:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 01:20:08 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:03:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 00:03:23 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:09:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 11:09:34 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:07:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 08:07:37 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:11:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 06:11:25 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:06:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 15:06:28 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 00:02:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 00:02:36 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:41:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 15:41:43 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:56:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 12:56:22 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:11:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 13:11:04 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:54:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 06:54:24 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:20:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 00:20:56 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:28:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 13:28:03 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 21:19:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 21:19:27 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:39:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 13:39:42 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:32:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 09:32:05 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:01:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 06:01:44 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 08:32:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 08:32:19 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:00:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 03:00:33 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:27:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 18:27:18 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:07:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 05:07:01 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:53:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 16:53:03 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:34:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 01:34:42 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:00:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 03:00:28 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:29:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 02:29:13 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:27:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 12:27:37 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:08:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 17:08:10 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:37:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 22:37:37 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:08:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 02:08:54 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:12:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 12:12:31 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:51:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 18:51:08 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:58:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 17:58:43 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:37:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 10:37:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:25:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 12:25:19 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:07:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 12:07:29 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:43:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 06:43:47 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:26:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 04:26:53 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:58:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 09:58:41 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:38:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 13:38:57 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:13:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 00:13:46 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:01:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 13:01:36 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:50:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 02:50:09 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 16:51:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 16:51:26 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:17:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 23:17:28 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:04:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 14:04:41 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 16:57:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 16:57:30 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:47:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 00:47:27 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:55:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 13:55:42 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:41:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 14:41:08 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:12:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 20:12:35 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:09:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 22:09:32 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 06:04:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 06:04:58 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 11:47:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 11:47:14 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:49:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 11:49:14 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:38:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 16:38:33 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:45:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 10:45:53 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:41:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 02:41:41 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:53:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 16:53:01 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:28:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 06:28:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:20:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 06:20:59 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:23:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 02:23:24 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:09:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 14:09:39 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:33:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 05:33:10 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:19:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 19:19:00 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:43:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 15:43:10 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:27:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 15:27:12 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:58:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 02:58:24 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:32:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 15:32:31 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:30:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 03:30:15 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:05:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 02:05:25 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:14:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 04:14:01 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:08:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 16:08:51 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:41:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 07:41:52 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:56:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 14:56:11 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:28:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 14:28:42 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:28:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 10:28:37 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:36:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 13:36:59 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:25:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 06:25:56 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:20:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 18:20:48 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:47:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 10:47:11 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:40:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 01:40:17 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 22:19:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 22:19:41 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:35:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 17:35:34 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:11:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 20:11:55 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:48:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 05:48:03 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:43:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 04:43:02 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:00:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 10:00:14 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:45:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 05:45:47 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:28:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 14:28:45 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 21:42:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 21:42:11 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 08:26:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 08:26:32 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:12:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 01:12:12 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:07:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 18:07:12 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:35:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 17:35:48 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:29:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 15:29:16 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:45:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 23:45:59 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:46:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 10:46:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:19:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 13:19:09 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:08:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 10:08:00 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:22:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 17:22:32 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:46:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 21:46:16 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:02:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 14:02:08 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:20:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 07:20:19 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:44:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 08:44:47 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:23:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 01:23:15 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:57:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 18:57:03 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:12:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 10:12:52 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:13:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 08:13:08 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:57:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 10:57:41 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:20:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 08 06:20:42 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:35:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 23:35:24 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:24:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 10:24:58 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:24:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 11:24:18 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:46:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 15:46:25 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:26:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 14:26:51 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:01:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 08:01:51 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:01:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 01:01:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:47:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 10:47:28 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:00:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 18:00:07 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:37:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 20:37:25 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:57:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 08:57:05 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:37:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 11:37:34 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:44:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 08:44:01 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 20:27:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 20:27:13 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:54:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 15:54:26 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:36:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 23:36:43 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:45:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 05:45:02 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:15:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 11:15:32 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 15:10:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 15:10:05 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 21:51:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 21:51:03 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:49:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 06:49:35 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:05:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 13:05:16 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:44:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 11:44:07 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:57:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 12:57:21 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 15:00:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 15:00:09 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:35:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 00:35:35 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:43:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 02:43:13 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:54:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 16:54:22 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:45:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 09:45:40 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 04:10:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 04:10:56 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 09:10:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 09:10:14 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:31:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 08 01:31:44 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:21:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 02:21:20 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:22:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 08:22:25 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:12:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 21:12:39 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:29:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 01:29:02 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:37:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 11:37:47 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:19:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 11:19:24 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:33:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 05:33:55 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:32:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 13:32:21 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:06:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 02:06:25 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:13:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 07:13:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:41:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 13:41:37 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:34:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 16:34:26 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 05:36:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 05:36:45 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:59:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 03:59:38 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:37:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 00:37:53 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 01:53:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 01:53:11 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:48:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 20:48:21 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 11:31:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 11:31:47 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:25:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 18:25:20 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:29:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 12:29:08 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:39:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 15:39:50 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:41:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 18:41:12 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:22:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 12:22:36 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:34:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 22:34:50 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:59:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 14:59:51 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:27:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 16:27:03 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:58:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 12:58:31 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:30:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 13:30:53 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:34:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 14:34:26 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:22:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 18:22:38 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:18:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 02:18:29 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:20:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 01:20:10 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:38:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 21:38:15 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 19:16:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 19:16:27 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 09:05:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 09:05:54 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:05:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 23:05:51 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 07:04:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 07:04:08 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:49:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 23:49:31 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 04:57:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 04:57:25 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 11:30:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 11:30:55 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:58:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 11:58:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:06:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 08:06:43 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:18:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 03:18:34 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 21:44:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 21:44:58 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 08:15:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 08:15:54 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:07:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 17:07:05 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:08:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 19:08:07 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:35:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 23:35:06 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:47:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 16:47:31 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:04:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 16:04:11 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 15:23:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 15:23:06 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:23:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 18:23:50 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 21:09:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 21:09:50 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:23:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 22:23:26 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:03:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 11:03:06 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:05:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 20:05:58 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:09:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 15:09:24 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:49:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 04:49:25 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:37:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 07:37:14 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:39:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 16:39:46 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:18:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 09:18:53 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:53:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 20:53:50 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:12:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 20:12:34 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:06:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 13:06:46 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 15:08:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 15:08:26 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:18:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 12:18:56 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:53:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 18:53:25 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:45:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 11:45:06 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:11:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 13:11:11 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:35:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 02:35:32 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:56:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 16:56:57 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:19:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 22:19:24 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:39:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 17:39:43 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:23:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 07:23:39 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:51:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 10:51:44 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:04:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 17:04:42 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:35:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 10:35:04 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:25:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 22:25:28 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 08:21:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 08:21:23 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:29:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 09:29:38 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 22:26:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 22:26:42 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:35:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 17:35:43 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:19:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 16:19:05 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:10:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 10:10:11 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:58:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 16:58:37 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:00:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 03:00:34 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:25:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 22:25:25 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:21:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 14:21:21 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:06:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 23:06:26 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:29:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 13:29:33 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:13:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 19:13:31 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:26:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 09:26:54 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:56:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 19:56:14 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:58:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 16:58:00 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:52:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 18:52:17 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:16:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 22:16:59 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:33:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 21:33:11 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 00:56:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 00:56:50 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:00:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 07:00:47 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:51:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 14:51:21 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:28:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 13:28:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 05:32:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 05:32:11 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 08:39:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 08:39:13 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:15:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 11:15:28 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:33:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 01:33:13 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:03:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 09:03:18 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:19:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 20:19:30 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:49:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 04:49:42 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:50:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 20:50:50 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:54:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 23:54:39 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:35:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 17:35:37 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:13:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 03:13:54 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:57:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 11:57:10 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:10:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 23:10:16 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:23:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 07:23:03 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:25:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 12:25:29 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:23:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 17:23:15 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:50:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 06:50:55 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:58:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 00:58:39 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:52:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 19:52:45 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 07:00:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 07:00:07 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:01:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 09:01:45 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 22:14:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 22:14:19 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:48:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 21:48:41 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:45:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 16:45:15 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:21:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 19:21:19 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:28:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 12:28:12 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:24:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 01:24:58 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:13:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 12:13:36 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:01:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 23:01:06 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:42:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 18:42:26 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:34:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 19:34:35 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:37:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 11:37:11 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:37:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 01:37:36 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:48:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 16:48:40 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:15:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 14:15:21 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:41:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 17:41:54 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:07:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 00:07:10 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:45:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 22:45:31 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 05:29:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 05:29:19 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:20:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 16:20:14 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:46:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 19:46:21 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 06:51:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 06:51:18 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:40:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 08:40:58 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:42:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 04:42:10 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:21:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 21:21:09 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:43:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 07:43:31 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:33:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 09:33:29 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:57:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 18:57:44 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:30:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 12:30:28 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 01:20:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 01:20:01 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:49:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 15:49:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:05:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 06:05:30 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:27:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 14:27:36 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:34:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 21:34:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:35:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 09:35:15 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:46:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 10:46:32 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:57:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 21:57:42 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:46:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 03:46:26 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:32:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 01:32:30 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:55:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 03:55:54 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 05:31:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 05:31:37 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:24:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 21:24:33 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:36:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 17:36:53 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:27:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 08 04:27:56 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:46:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 15:46:06 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 23:34:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 23:34:50 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 04:50:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 04:50:04 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:10:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 02:10:05 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:22:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 09:22:14 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 01:17:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 01:17:09 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:26:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 01:26:51 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:08:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 07:08:22 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:57:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 05:57:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:00:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 19:00:19 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:05:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 08 03:05:51 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:01:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 03:01:58 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:32:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 05:32:54 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:53:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 09:53:29 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:05:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 19:05:32 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:38:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 10:38:47 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 20:29:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 20:29:00 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:00:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 02:00:23 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:19:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 06:19:20 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:36:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 21:36:21 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:44:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 20:44:24 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:54:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 00:54:28 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:01:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 20:01:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:51:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 19:51:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:47:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 17:47:34 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:26:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 12:26:24 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:23:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 12:23:20 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:08:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 04:08:58 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:16:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 00:16:04 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:51:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 05:51:17 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:22:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 11:22:07 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:41:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 03:41:47 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:07:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 22:07:32 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:55:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 20:55:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 11:27:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 11:27:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 05:55:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 05:55:01 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:47:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 09:47:47 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:45:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 22:45:07 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:41:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 11:41:50 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:22:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 16:22:18 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:09:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 08:09:31 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 15:45:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 15:45:13 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:46:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 00:46:50 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:14:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 05:14:53 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:05:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 10:05:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:46:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 09:46:25 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:29:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 14:29:40 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:37:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 23:37:12 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:57:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 10:57:28 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:05:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 04:05:21 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:48:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 22:48:35 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:01:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 07:01:56 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 08:49:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 08:49:38 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:53:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 17:53:57 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 08:28:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 08:28:04 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:24:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 03:24:41 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:24:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 23:24:16 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:13:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 09:13:08 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:10:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 09:10:43 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 20:00:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 20:00:13 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 22:21:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 22:21:52 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:12:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 18:12:23 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 15:17:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 15:17:31 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:54:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 09:54:31 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:52:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 21:52:00 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:58:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 19:58:52 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:32:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 13:32:30 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:25:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 11:25:02 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:25:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 12:25:31 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:32:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 15:32:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:44:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 22:44:59 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:29:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 20:29:00 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:47:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 19:47:58 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:14:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 09:14:39 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:56:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 03:56:51 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:54:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 12:54:01 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:27:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 23:27:52 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 21:32:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 21:32:16 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 19:32:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 19:32:59 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:18:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 03 10:18:34 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 21:38:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 21:38:21 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:19:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 07:19:46 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:40:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 05:40:40 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:56:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 14:56:45 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 03:42:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 03:42:16 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:28:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 20:28:27 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:01:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 18:01:07 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:25:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 22:25:04 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:18:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 21:18:41 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:05:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 06:05:53 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:55:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 13:55:52 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:29:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 23:29:54 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:50:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 03:50:25 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:41:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 09:41:41 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:43:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 05:43:20 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:40:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 20:40:58 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:42:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 09:42:16 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 19:09:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 19:09:57 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:20:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 17:20:32 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:07:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 09:07:41 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:20:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 19:20:41 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:43:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 08:43:38 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:08:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 03:08:40 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 08:31:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 08:31:00 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 10:05:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 10:05:01 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:42:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 16:42:23 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 23:53:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 23:53:04 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:25:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 16:25:53 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 07:23:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 07:23:57 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:35:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 07:35:59 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 09:20:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 01 09:20:12 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:23:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 15:23:47 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:54:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 13:54:32 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:34:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 09:34:14 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:01:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 04:01:27 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:27:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 10:27:57 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:41:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 13:41:07 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 07:12:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 07:12:38 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 23:32:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 23:32:21 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 20:55:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 20:55:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:09:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 20:09:35 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:06:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 04:06:04 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:23:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 10:23:02 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:46:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 11:46:03 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:30:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 12:30:57 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 22:04:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 22:04:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:42:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 17:42:05 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:15:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 13:15:23 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:16:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 13:16:28 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:18:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 17:18:30 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:34:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 13:34:32 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:50:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 02:50:28 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:14:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 01:14:01 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:46:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 09:46:56 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:09:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 00:09:29 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:03:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 13:03:12 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:25:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 14:25:03 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:47:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 14:47:15 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:04:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 23:04:35 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:07:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 03:07:34 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:40:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 12:40:28 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 13:39:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 13:39:03 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:29:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 11:29:10 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:17:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 06:17:24 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:31:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 01:31:07 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:52:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 08:52:01 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 04:56:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 04:56:40 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:42:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 11:42:58 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:55:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 17:55:49 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 19:51:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 19:51:35 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:14:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 08 04:14:36 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 21:18:25","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 21:18:25 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:05:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 17:05:38 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 21:41:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 21:41:16 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:41:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 17:41:05 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:58:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 18:58:12 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:39:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 08:39:44 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:20:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 18:20:04 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:22:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 14:22:08 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:24:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 04:24:50 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:23:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 04:23:57 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:03:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 22:03:56 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:48:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 20:48:21 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:49:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 12:49:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:09:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 13:09:32 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:54:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 23:54:15 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:54:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 20:54:41 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:31:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 11:31:16 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:03:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 05:03:34 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:58:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 22:58:47 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:22:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 10:22:36 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:18:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 02 08:18:52 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:26:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 05:26:39 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:51:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 16:51:35 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 09:19:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 09:19:14 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 05:19:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 05:19:45 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:04:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 10:04:30 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:02:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 19:02:46 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:51:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 15:51:53 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:54:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 14:54:34 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 14:01:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 14:01:49 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:30:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 13:30:43 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:25:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 23:25:32 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 03:38:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 03:38:32 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:37:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 17:37:23 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:35:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 12:35:38 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:51:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 18:51:51 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:13:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 06:13:42 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 06:09:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 06:09:51 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:54:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 13:54:50 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:24:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 12:24:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:07:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 14:07:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:11:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 23:11:17 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:44:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 08 06:44:52 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:04:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 11:04:58 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:14:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 09:14:09 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:37:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 22:37:53 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:35:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 16:35:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:53:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 05:53:08 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:33:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 01:33:06 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 19:42:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 19:42:46 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 19:59:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 19:59:57 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:18:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 00:18:37 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:16:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 23:16:34 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:07:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 19:07:09 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:42:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 16:42:58 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:49:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 18:49:47 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:44:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 16:44:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:50:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 08 06:50:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:44:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 21:44:38 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:11:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 05:11:13 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:46:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 16:46:19 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 02:04:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 02:04:38 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:38:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 02:38:43 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:30:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 12:30:36 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 05:16:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 05:16:31 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:02:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 07:02:36 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:16:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 23:16:24 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:27:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 00:27:14 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:26:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 11:26:53 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:39:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 17:39:52 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:16:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 22:16:46 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:01:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 01:01:40 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 02:56:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 02:56:27 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:29:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 14:29:16 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 07:43:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 07:43:46 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:06:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 11:06:01 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 03:07:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 03:07:24 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:06:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 03:06:07 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:08:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 22:08:27 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:59:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 17:59:01 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:58:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 00:58:38 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 09:56:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 09:56:39 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:30:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 04:30:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:45:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 21:45:55 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 04:20:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 04:20:20 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:42:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 08:42:12 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:24:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 17:24:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 22:38:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 01 22:38:48 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 01:58:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 01:58:19 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 17:53:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 03 17:53:36 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:43:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 21:43:27 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 01:40:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 01:40:01 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:33:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 14:33:30 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 07:58:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 07:58:18 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:31:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 06:31:34 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 11:38:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 11:38:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 16:29:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 16:29:51 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:31:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 07 17:31:02 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 04:42:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 04:42:50 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:33:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 06:33:05 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:14:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 16:14:37 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:23:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 10:23:17 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:19:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 06:19:55 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 15:55:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 01 15:55:06 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 08:34:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 08:34:56 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:34:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 20:34:11 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:32:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 16:32:47 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:54:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 02:54:42 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 00:38:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 00:38:29 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 02:51:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 02:51:05 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 06:25:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 06:25:38 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 16:45:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 16:45:52 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:58:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 17:58:02 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:05:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 20:05:56 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 06:48:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 06:48:09 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:58:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 10:58:22 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:37:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 23:37:17 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:15:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 01:15:39 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:16:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 16:16:11 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 18:54:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 18:54:35 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:05:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 22:05:12 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:18:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 05:18:46 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 10:36:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 10:36:27 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:31:42","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 14:31:42 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:50:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 08:50:36 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:44:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 00:44:39 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:19:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 22:19:15 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:15:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 08 07:15:09 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 10:32:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 10:32:17 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 09:34:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 09:34:06 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:42:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 09:42:46 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 02:19:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 02:19:00 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:39:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 05 15:39:35 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 18:15:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 18:15:50 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:32:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 23:32:39 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 06:32:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 06:32:30 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:06:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 04:06:59 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:35:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 20:35:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:30:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 04:30:51 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 09:20:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 09:20:10 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:03:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 18:03:02 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:35:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 11:35:00 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:30:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 18:30:44 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 10:58:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 10:58:12 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 08:57:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 08:57:33 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:52:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 07:52:06 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 06:33:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 06:33:56 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 13:27:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 05 13:27:08 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:30:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 06:30:54 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:47:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 17:47:34 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:58:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 17:58:28 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:12:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 04:12:57 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 11:05:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 11:05:34 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:32:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 13:32:17 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:17:07","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 02:17:07 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:57:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 11:57:14 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:38:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 05:38:43 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 00:01:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 00:01:37 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 21:20:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 21:20:24 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:59:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 07:59:19 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:18:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 14:18:18 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:28:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 22:28:45 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:21:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 16:21:14 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:35:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 03:35:49 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:43:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 04:43:46 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 13:41:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 13:41:38 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:37:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 05 10:37:27 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 05:51:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 05:51:57 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:05:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 10:05:29 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 10:40:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 10:40:51 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:07:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 20:07:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:34:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 17:34:01 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:12:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 22:12:56 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 20:50:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 20:50:11 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 05:21:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 05:21:41 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 00:14:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 00:14:04 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:16:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 03:16:29 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 05:28:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 05:28:36 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 21:30:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 21:30:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:49:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 16:49:09 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:01:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"root","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 02:01:14 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:55:12","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 04 01:55:12 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:55:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 08:55:59 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:38:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 23:38:00 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:50:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 04:50:02 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:04:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 19:04:22 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:59:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 22:59:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 16:07:59","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 16:07:59 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:16:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 18:16:43 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:05:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 20:05:46 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:06:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 06 14:06:31 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:12:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 05:12:04 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:11:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"suricata","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 23:11:13 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:30:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 13:30:08 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:05:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"SYSTEM","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 04:05:30 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:19:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 12:19:58 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 23:13:29","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 23:13:29 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 07:53:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 07:53:34 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 04:48:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 04:48:00 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 03:20:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 03:20:34 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:35:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 14:35:05 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 01:03:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 01:03:43 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:07:56","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 02 06:07:56 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 23:32:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 23:32:49 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:07:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 04:07:24 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:38:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 17:38:01 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 13:06:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 13:06:00 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:15:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 22:15:54 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:37:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 12:37:58 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:54:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 23:54:33 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 13:30:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 13:30:16 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 06:13:47","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 06:13:47 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 14:50:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 14:50:14 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:20:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 15:20:22 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 22:48:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 22:48:57 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 17:37:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 17:37:39 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 01:08:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 01:08:05 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:59:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 05 18:59:48 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:41:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 14:41:14 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 07:00:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 07:00:04 wazuh-manager sshd[15225]: Did not receive identification string from 134.87.21.47 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 08:38:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 08:38:58 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 20:56:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 20:56:33 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:27:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 21:27:50 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 11:00:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 11:00:23 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:29:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 00:29:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:18:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 05:18:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:39:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 08:39:13 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:51:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 02 10:51:21 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 04:18:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 04:18:03 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:19:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 07:19:43 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:57:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 15:57:14 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:01:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 18:01:54 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 14:16:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 14:16:51 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:22:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"Administrators","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 16:22:48 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 02:30:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 02:30:26 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:42:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 05:42:32 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 14:30:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 01 14:30:31 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:36:41","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 18:36:41 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 16:29:33","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 01 16:29:33 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:58:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 21:58:40 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:00:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 12:00:55 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 11:18:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 01 11:18:35 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:34:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 03:34:55 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 04:29:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 03 04:29:54 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 02:46:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 03 02:46:32 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:56:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 18:56:48 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 16:14:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 05 16:14:11 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 12:30:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"wazuh","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 12:30:06 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:16:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 22:16:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 12:55:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 06 12:55:34 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 12:51:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 12:51:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:02:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 18:02:38 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 05:46:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 05:46:32 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:49:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 14:49:13 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:35:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 20:35:45 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 12:29:23","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 12:29:23 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 17:09:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 17:09:20 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:59:20","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 08 07:59:20 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:24:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 03:24:50 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 10:35:13","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 10:35:13 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.124.37.241.static.impsat.com.co [45.124.37.241] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 18:05:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"Administrators","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 18:05:38 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 06:08:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 06:08:44 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:11:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 19:11:34 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 21:15:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 21:15:14 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:52:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 03 00:52:18 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 12:26:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 12:26:02 wazuh-manager sshd[15225]: Did not receive identification string from 45.75.196.15 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 16:34:30","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 04 16:34:30 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 23:52:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 04 23:52:22 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 03:31:21","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 03 03:31:21 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 22:53:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 06 22:53:10 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:57:50","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"root","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 06 17:57:50 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 18:10:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 01 18:10:06 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 09:28:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 09:28:19 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 11:56:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 11:56:06 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:13:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 03:13:43 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 23:14:43","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 07 23:14:43 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 05:51:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 05:51:16 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:47:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 02 19:47:58 wazuh-manager sshd[15225]: Did not receive identification string from 54.10.24.5 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:07:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 08 07:07:48 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 06:27:48","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 06:27:48 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 7854"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 09:14:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 09:14:19 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 3475"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 07:22:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"LOCAL Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 07:22:00 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 05:59:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 04 05:59:03 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 06:00:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"SYSTEM","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 06:00:46 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:59:10","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 04 21:59:10 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 00:21:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 00:21:18 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 19:06:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 19:06:39 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 40.220.102.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 18:57:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 18:57:03 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 55047"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:27:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 07 22:27:32 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 19:20:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 02 19:20:35 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 07:21:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 08 07:21:22 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 07:32:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 07:32:11 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 10:20:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 10:20:54 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:30:28","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"NETWORK Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 03 23:30:28 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 00:43:44","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 00:43:44 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 54.10.24.5 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 19:40:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 07 19:40:38 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 08:52:16","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"SYSTEM","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 04 08:52:16 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 11:07:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 11:07:35 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:19:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 22:19:32 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 09:02:18","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 09:02:18 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 00:55:22","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 02 00:55:22 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 03:33:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 03:33:06 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 00:10:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 00:10:38 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:25:15","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"NETWORK Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 21:25:15 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":4},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 15:07:55","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"LOCAL Service","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 15:07:55 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 00:29:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 08 00:29:09 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 45.75.196.15.static.impsat.com.co [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:41:35","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"ec2-user","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 17:41:35 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 17:26:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 06 17:26:52 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 54.10.24.5.static.impsat.com.co [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:51:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 17:51:05 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 17:13:32","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"7854"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 01 17:13:32 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:18:57","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 08 01:18:57 wazuh-manager sshd[15225]: Did not receive identification string from 16.4.20.20 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:02:24","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 17:02:24 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 03:49:39","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 06 03:49:39 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 3014"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 18:36:27","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 18:36:27 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:42:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 13:42:06 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:09:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 05 15:09:06 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 15:03:02","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"3014"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 15:03:02 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 13:36:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"LOCAL Service","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"Mar 03 13:36:09 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 2222"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 21:22:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 04 21:22:54 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 11:36:38","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 01 11:36:38 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 134.87.21.47.static.impsat.com.co [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 20:25:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3475"},"location":"/var/log/secure","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"Mar 05 20:25:51 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 21:47:36","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"suricata","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 06 21:47:36 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 17:24:08","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 05 17:24:08 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 15:29:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"SYSTEM","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 15:29:40 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 141.98.81.37.static.impsat.com.co [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 22:51:54","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"suricata","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 02 22:51:54 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":12},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 00:10:31","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"LOCAL Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 00:10:31 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:06:45","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"NETWORK Service","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 20:06:45 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 05:41:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 05:41:37 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:11:52","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"wazuh","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 07 22:11:52 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 141.98.81.37 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 15:04:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 15:04:01 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 22:00:11","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"2222"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 07 22:00:11 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 04:08:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 04:08:14 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:02:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"ec2-user","srcport":"55047"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 06 02:02:49 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 05:06:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 06 05:06:09 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:29:06","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"SYSTEM","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 04 17:29:06 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 16.4.20.20 port 4547"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 09:07:09","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 09:07:09 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 187.80.4.18.static.impsat.com.co [187.80.4.18] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 08 01:59:04","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"root","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 08 01:59:04 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [45.75.196.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":2},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 14:21:03","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"wazuh","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 04 14:21:03 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 14:07:53","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"wazuh","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 14:07:53 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":3},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:46:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"16.4.20.20","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 16:46:46 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 16.4.20.20.static.impsat.com.co [16.4.20.20] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 23:38:26","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.75.196.15","srcuser":"ec2-user","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 03 23:38:26 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.75.196.15 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 08:23:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"ec2-user","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 08:23:05 wazuh-manager sshd[15225]: Did not receive identification string from 187.80.4.18 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":5},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 13:57:51","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"wazuh","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"Mar 07 13:57:51 wazuh-manager sshd[15225]: Did not receive identification string from 40.220.102.15 port 3527"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":9},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 10:51:00","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"NETWORK Service","srcport":"3527"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 02 10:51:00 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 17:34:05","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"Administrators","srcport":"7558"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 17:34:05 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 45.124.37.241 port 7558"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 03 18:01:46","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"54.10.24.5","srcuser":"LOCAL Service","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 03 18:01:46 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [54.10.24.5] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":8},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 01 20:56:37","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"Administrators","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 01 20:56:37 wazuh-manager sshd[15225]: Did not receive identification string from 141.98.81.37 port 4277"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 04 11:15:58","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"LOCAL Service","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 04 11:15:58 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":15},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 00:25:40","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"root","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 07 00:25:40 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":13},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 14:24:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"141.98.81.37","srcuser":"suricata","srcport":"4277"},"location":"/var/log/secure","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"Mar 05 14:24:14 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [141.98.81.37] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":5,"pci_dss":["11.4"],"description":"sshd: Reverse lookup error (bad ISP or attack).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"id":["T1021"]},"id":"5702","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":11},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 20:02:34","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"40.220.102.15","srcuser":"root","srcport":"4547"},"location":"/var/log/secure","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"Mar 07 20:02:34 wazuh-manager sshd[15409]: reverse mapping checking getaddrinfo for 40.220.102.15.static.impsat.com.co [40.220.102.15] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":10,"pci_dss":["11.4"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors).","groups":["syslog","sshd"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5703","nist_800_53":["SI.4"],"frequency":6,"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":14},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 12:17:17","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"NETWORK Service","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"Mar 02 12:17:17 wazuh-manager sshd[10385]: reverse mapping checking getaddrinfo for . [134.87.21.47] failed - POSSIBLE BREAK-IN ATTEMPT!"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":6},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 05 12:45:01","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"187.80.4.18","srcuser":"wazuh","srcport":"26874"},"location":"/var/log/secure","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"Mar 05 12:45:01 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 187.80.4.18 port 26874"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":8,"pci_dss":["11.4"],"description":"sshd: Possible attack on the ssh server (or version gathering).","groups":["syslog","sshd","recon"],"mitre":{"tactic":["Lateral Movement"],"technique":["Brute Force","Remove Services"],"id":["T1021"]},"id":"5701","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":7},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 02 04:37:19","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"134.87.21.47","srcuser":"Administrators","srcport":"5784"},"location":"/var/log/secure","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"Mar 02 04:37:19 wazuh-manager sshd[15122]: Bad protocol version identification '\\003' from 134.87.21.47 port 5784"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":1},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 06 02:14:14","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"ec2-user","srcport":"8905"},"location":"/var/log/secure","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"Mar 06 02:14:14 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 8905"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"mail":false,"level":6,"pci_dss":["11.4"],"description":"sshd: insecure connection attempt (scan).","groups":["syslog","sshd","recon"],"id":"5706","nist_800_53":["SI.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"firedtimes":10},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{"program_name":"sshd","timestamp":"Mar 07 16:38:49","hostname":"wazuh-manager"},"decoder":{"name":"sshd","parent":"sshd"},"data":{"srcip":"45.124.37.241","srcuser":"NETWORK Service","srcport":"22"},"location":"/var/log/secure","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"Mar 07 16:38:49 wazuh-manager sshd[15225]: Did not receive identification string from 45.124.37.241 port 22"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH63974"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 01 22:40:30.635 2023] [autoindex:error] [pid 23422] [client 54.10.24.5:7854] AH63974: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH30459"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:56:38.953 2023] [autoindex:error] [pid 19048] [client 45.75.196.15:22] AH30459: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4547","id":"AH94017"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 23:33:21.189 2023] [autoindex:error] [pid 11728] [client 141.98.81.37:4547] AH94017: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"5784","id":"AH73527"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 03:04:33.200 2023] [autoindex:error] [pid 17245] [client 141.98.81.37:5784] AH73527: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH52465"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:12:51.286 2023] [autoindex:error] [pid 23280] [client 45.75.196.15:55047] AH52465: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH16815"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 06:56:54.902 2023] [autoindex:error] [pid 16043] [client 187.80.4.18:8905] AH16815: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH25738"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 20:44:24.661 2023] [autoindex:error] [pid 27694] [client 45.124.37.241:3475] AH25738: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH41584"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 16:18:23.523 2023] [autoindex:error] [pid 19208] [client 134.87.21.47:2222] AH41584: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH51785"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:01:58.585 2023] [autoindex:error] [pid 19403] [client 16.4.20.20:55047] AH51785: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH13925"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 22:00:56.030 2023] [autoindex:error] [pid 29881] [client 45.124.37.241:5784] AH13925: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH35865"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 21:58:38.099 2023] [autoindex:error] [pid 18127] [client 16.4.20.20:5784] AH35865: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3475","id":"AH71228"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 01:26:05.069 2023] [autoindex:error] [pid 29886] [client 187.80.4.18:3475] AH71228: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH97283"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 20:05:48.753 2023] [autoindex:error] [pid 14829] [client 45.124.37.241:4547] AH97283: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"22","id":"AH91471"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 17:21:10.400 2023] [autoindex:error] [pid 13350] [client 40.220.102.15:22] AH91471: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7558","id":"AH48470"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 23:46:19.902 2023] [autoindex:error] [pid 24491] [client 16.4.20.20:7558] AH48470: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH67796"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 23:24:32.320 2023] [autoindex:error] [pid 14225] [client 45.124.37.241:4547] AH67796: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH26448"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 07:55:09.649 2023] [autoindex:error] [pid 17970] [client 45.75.196.15:7558] AH26448: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH76258"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:18:28.643 2023] [autoindex:error] [pid 19617] [client 141.98.81.37:22] AH76258: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH68715"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:01:35.085 2023] [autoindex:error] [pid 20370] [client 141.98.81.37:8905] AH68715: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH43618"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 05:53:04.259 2023] [autoindex:error] [pid 24502] [client 187.80.4.18:5784] AH43618: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3527","id":"AH64695"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 09:46:11.021 2023] [autoindex:error] [pid 11865] [client 45.75.196.15:3527] AH64695: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"8905","id":"AH89731"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 00:19:15.060 2023] [autoindex:error] [pid 18007] [client 54.10.24.5:8905] AH89731: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH84254"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 08:22:20.096 2023] [autoindex:error] [pid 20513] [client 40.220.102.15:26874] AH84254: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH11942"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:24:37.455 2023] [autoindex:error] [pid 10849] [client 45.75.196.15:7558] AH11942: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH43599"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 04:45:55.998 2023] [autoindex:error] [pid 29507] [client 134.87.21.47:2222] AH43599: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH92918"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 09:51:03.003 2023] [autoindex:error] [pid 14118] [client 54.10.24.5:55047] AH92918: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH21462"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 08 05:41:47.478 2023] [autoindex:error] [pid 13987] [client 45.124.37.241:3527] AH21462: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH49539"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 23:22:51.960 2023] [autoindex:error] [pid 28306] [client 187.80.4.18:5784] AH49539: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH68963"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:22:00.730 2023] [autoindex:error] [pid 25961] [client 187.80.4.18:55047] AH68963: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH92357"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 04:38:52.401 2023] [autoindex:error] [pid 12488] [client 45.75.196.15:26874] AH92357: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH63204"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 12:21:54.851 2023] [autoindex:error] [pid 10879] [client 45.75.196.15:4547] AH63204: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH84003"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:28:57.020 2023] [autoindex:error] [pid 20381] [client 187.80.4.18:55047] AH84003: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH55105"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 03:37:44.254 2023] [autoindex:error] [pid 27517] [client 45.124.37.241:7558] AH55105: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3014","id":"AH27216"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 11:59:59.969 2023] [autoindex:error] [pid 19892] [client 54.10.24.5:3014] AH27216: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH34904"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 12:32:00.595 2023] [autoindex:error] [pid 24138] [client 45.75.196.15:7558] AH34904: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH32474"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sun Mar 05 12:42:34.789 2023] [autoindex:error] [pid 29045] [client 187.80.4.18:3527] AH32474: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH15305"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 18:28:09.866 2023] [autoindex:error] [pid 11961] [client 54.10.24.5:55047] AH15305: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3475","id":"AH76038"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Fri Mar 03 11:24:38.788 2023] [autoindex:error] [pid 28526] [client 16.4.20.20:3475] AH76038: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH94547"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 02:44:53.824 2023] [autoindex:error] [pid 28458] [client 16.4.20.20:3527] AH94547: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH21853"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:07:10.747 2023] [autoindex:error] [pid 23765] [client 45.75.196.15:8905] AH21853: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3014","id":"AH31334"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:35:23.113 2023] [autoindex:error] [pid 12913] [client 40.220.102.15:3014] AH31334: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH18135"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 20:50:47.684 2023] [autoindex:error] [pid 16125] [client 45.124.37.241:4277] AH18135: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH65411"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:37:46.434 2023] [autoindex:error] [pid 12573] [client 40.220.102.15:5784] AH65411: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7854","id":"AH60929"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 08:58:42.019 2023] [autoindex:error] [pid 23711] [client 16.4.20.20:7854] AH60929: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH48289"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 16:01:16.550 2023] [autoindex:error] [pid 24015] [client 134.87.21.47:5784] AH48289: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH18253"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:03:20.486 2023] [autoindex:error] [pid 20903] [client 16.4.20.20:5784] AH18253: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"2222","id":"AH38398"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:21:20.962 2023] [autoindex:error] [pid 19457] [client 40.220.102.15:2222] AH38398: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH16816"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:05:46.939 2023] [autoindex:error] [pid 21236] [client 54.10.24.5:7854] AH16816: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH23327"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 03:32:45.212 2023] [autoindex:error] [pid 15360] [client 40.220.102.15:8905] AH23327: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH11178"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:12:05.496 2023] [autoindex:error] [pid 12247] [client 45.75.196.15:4547] AH11178: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3475","id":"AH14971"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 03:10:34.353 2023] [autoindex:error] [pid 22815] [client 187.80.4.18:3475] AH14971: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH69050"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 08 01:37:36.758 2023] [autoindex:error] [pid 12104] [client 40.220.102.15:7854] AH69050: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH79511"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:03:59.285 2023] [autoindex:error] [pid 19243] [client 16.4.20.20:4277] AH79511: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH60982"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 09:34:08.547 2023] [autoindex:error] [pid 26695] [client 141.98.81.37:3475] AH60982: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH90247"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:31:33.220 2023] [autoindex:error] [pid 25896] [client 45.124.37.241:7854] AH90247: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH49752"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 14:20:00.930 2023] [autoindex:error] [pid 12924] [client 54.10.24.5:4277] AH49752: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH30878"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 19:23:12.531 2023] [autoindex:error] [pid 21942] [client 16.4.20.20:3527] AH30878: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH46280"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 18:43:46.379 2023] [autoindex:error] [pid 13743] [client 45.75.196.15:4277] AH46280: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3475","id":"AH24959"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 01:59:38.594 2023] [autoindex:error] [pid 27927] [client 54.10.24.5:3475] AH24959: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH36105"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 14:47:26.845 2023] [autoindex:error] [pid 14724] [client 40.220.102.15:26874] AH36105: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH88959"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 01:46:22.899 2023] [autoindex:error] [pid 10432] [client 141.98.81.37:7854] AH88959: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7558","id":"AH83598"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 03:47:16.582 2023] [autoindex:error] [pid 29430] [client 16.4.20.20:7558] AH83598: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"26874","id":"AH40146"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 22:03:51.036 2023] [autoindex:error] [pid 16824] [client 45.124.37.241:26874] AH40146: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH14162"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:03:29.782 2023] [autoindex:error] [pid 10441] [client 187.80.4.18:22] AH14162: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH21480"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 14:33:27.693 2023] [autoindex:error] [pid 28645] [client 141.98.81.37:7854] AH21480: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH14078"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:39:43.277 2023] [autoindex:error] [pid 19078] [client 16.4.20.20:4547] AH14078: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH40286"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 01:07:49.906 2023] [autoindex:error] [pid 16907] [client 16.4.20.20:3014] AH40286: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH44163"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 08 05:39:36.344 2023] [autoindex:error] [pid 20284] [client 54.10.24.5:4277] AH44163: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH37703"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 01:59:27.725 2023] [autoindex:error] [pid 13603] [client 134.87.21.47:3014] AH37703: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH46086"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 12:36:33.451 2023] [autoindex:error] [pid 17527] [client 45.75.196.15:7558] AH46086: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH11456"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:06:56.030 2023] [autoindex:error] [pid 16456] [client 40.220.102.15:7854] AH11456: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH62445"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 13:16:40.042 2023] [autoindex:error] [pid 23273] [client 45.75.196.15:55047] AH62445: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH93856"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Fri Mar 03 02:35:15.119 2023] [autoindex:error] [pid 23450] [client 45.124.37.241:5784] AH93856: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH93401"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 01:52:45.706 2023] [autoindex:error] [pid 28225] [client 141.98.81.37:7854] AH93401: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH31890"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 22:02:58.421 2023] [autoindex:error] [pid 18044] [client 45.124.37.241:3475] AH31890: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH89066"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 08 02:15:32.692 2023] [autoindex:error] [pid 16874] [client 187.80.4.18:7558] AH89066: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH15797"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 22:52:27.553 2023] [autoindex:error] [pid 11241] [client 141.98.81.37:8905] AH15797: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH50757"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 23:30:35.095 2023] [autoindex:error] [pid 16992] [client 187.80.4.18:7558] AH50757: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH65903"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 01 14:40:14.454 2023] [autoindex:error] [pid 27249] [client 45.124.37.241:2222] AH65903: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH92356"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 09:50:35.740 2023] [autoindex:error] [pid 22515] [client 187.80.4.18:22] AH92356: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH37769"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 14:34:32.037 2023] [autoindex:error] [pid 13234] [client 40.220.102.15:5784] AH37769: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH74546"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 10:37:25.159 2023] [autoindex:error] [pid 16642] [client 141.98.81.37:3475] AH74546: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7558","id":"AH86956"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 16:51:47.215 2023] [autoindex:error] [pid 27336] [client 40.220.102.15:7558] AH86956: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"26874","id":"AH95070"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:55:17.892 2023] [autoindex:error] [pid 26393] [client 16.4.20.20:26874] AH95070: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH46067"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:15:38.038 2023] [autoindex:error] [pid 13319] [client 54.10.24.5:7854] AH46067: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"2222","id":"AH32301"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 08 08:38:49.941 2023] [autoindex:error] [pid 13505] [client 16.4.20.20:2222] AH32301: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH19471"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 21:41:04.232 2023] [autoindex:error] [pid 25227] [client 16.4.20.20:3527] AH19471: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH19695"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 22:59:09.539 2023] [autoindex:error] [pid 22207] [client 45.124.37.241:3014] AH19695: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7558","id":"AH14132"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 19:21:15.973 2023] [autoindex:error] [pid 17554] [client 40.220.102.15:7558] AH14132: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH34669"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:45:19.778 2023] [autoindex:error] [pid 17748] [client 134.87.21.47:3527] AH34669: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH77011"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 03:19:02.819 2023] [autoindex:error] [pid 17032] [client 40.220.102.15:7854] AH77011: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH58540"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 08 04:53:05.930 2023] [autoindex:error] [pid 29438] [client 16.4.20.20:22] AH58540: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH36857"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 22:02:00.436 2023] [autoindex:error] [pid 19029] [client 16.4.20.20:22] AH36857: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH23081"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 00:40:41.990 2023] [autoindex:error] [pid 22574] [client 187.80.4.18:3014] AH23081: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3475","id":"AH59591"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 23:01:54.440 2023] [autoindex:error] [pid 11769] [client 45.75.196.15:3475] AH59591: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"5784","id":"AH22370"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 01 13:04:41.607 2023] [autoindex:error] [pid 11647] [client 141.98.81.37:5784] AH22370: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7558","id":"AH86390"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:41:18.320 2023] [autoindex:error] [pid 22818] [client 16.4.20.20:7558] AH86390: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH35910"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:38:36.979 2023] [autoindex:error] [pid 26592] [client 134.87.21.47:4547] AH35910: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH30665"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:14:01.511 2023] [autoindex:error] [pid 27778] [client 187.80.4.18:8905] AH30665: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH25495"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 12:33:16.248 2023] [autoindex:error] [pid 17569] [client 141.98.81.37:22] AH25495: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3475","id":"AH36407"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:56:00.863 2023] [autoindex:error] [pid 27834] [client 134.87.21.47:3475] AH36407: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH16493"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 08 08:47:20.370 2023] [autoindex:error] [pid 22816] [client 141.98.81.37:3475] AH16493: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH93053"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 23:59:51.870 2023] [autoindex:error] [pid 23658] [client 134.87.21.47:3014] AH93053: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH98171"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 15:04:59.112 2023] [autoindex:error] [pid 12253] [client 45.75.196.15:22] AH98171: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH33138"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 15:21:04.331 2023] [autoindex:error] [pid 23679] [client 187.80.4.18:55047] AH33138: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH67012"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 04:02:49.274 2023] [autoindex:error] [pid 20137] [client 141.98.81.37:7558] AH67012: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH88736"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 16:24:28.852 2023] [autoindex:error] [pid 10145] [client 45.75.196.15:5784] AH88736: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH81981"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:34:35.595 2023] [autoindex:error] [pid 15315] [client 54.10.24.5:26874] AH81981: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"55047","id":"AH41766"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:06:54.398 2023] [autoindex:error] [pid 22565] [client 141.98.81.37:55047] AH41766: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH72071"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:15:50.764 2023] [autoindex:error] [pid 19677] [client 187.80.4.18:4277] AH72071: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7558","id":"AH17259"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:40:05.191 2023] [autoindex:error] [pid 22736] [client 134.87.21.47:7558] AH17259: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH72817"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:06:29.427 2023] [autoindex:error] [pid 23528] [client 16.4.20.20:5784] AH72817: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH45781"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 03:43:43.445 2023] [autoindex:error] [pid 14568] [client 45.75.196.15:7854] AH45781: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3527","id":"AH12741"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 21:21:45.704 2023] [autoindex:error] [pid 14298] [client 54.10.24.5:3527] AH12741: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH47340"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 12:04:01.236 2023] [autoindex:error] [pid 26168] [client 54.10.24.5:4277] AH47340: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH13908"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 17:12:13.891 2023] [autoindex:error] [pid 13022] [client 45.75.196.15:7854] AH13908: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH53695"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:29:57.303 2023] [autoindex:error] [pid 10210] [client 16.4.20.20:4277] AH53695: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH35962"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 07:18:44.083 2023] [autoindex:error] [pid 27817] [client 187.80.4.18:3527] AH35962: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH90763"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sun Mar 05 09:50:11.549 2023] [autoindex:error] [pid 15756] [client 141.98.81.37:8905] AH90763: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH99649"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 17:53:51.088 2023] [autoindex:error] [pid 16268] [client 45.124.37.241:22] AH99649: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH97815"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 23:53:48.820 2023] [autoindex:error] [pid 14910] [client 45.75.196.15:8905] AH97815: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH11086"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 03:59:23.656 2023] [autoindex:error] [pid 11093] [client 141.98.81.37:3527] AH11086: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH51519"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 01:03:08.775 2023] [autoindex:error] [pid 20306] [client 141.98.81.37:7854] AH51519: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH10951"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 15:26:58.724 2023] [autoindex:error] [pid 18645] [client 16.4.20.20:5784] AH10951: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH61601"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:20:45.681 2023] [autoindex:error] [pid 20975] [client 45.75.196.15:7854] AH61601: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH69305"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 11:59:41.403 2023] [autoindex:error] [pid 19454] [client 54.10.24.5:4547] AH69305: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH76398"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:58:58.433 2023] [autoindex:error] [pid 19285] [client 54.10.24.5:55047] AH76398: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH22988"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 14:34:43.736 2023] [autoindex:error] [pid 19034] [client 45.75.196.15:26874] AH22988: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH41916"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 08 06:30:20.789 2023] [autoindex:error] [pid 28638] [client 134.87.21.47:4547] AH41916: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH78006"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:58:23.781 2023] [autoindex:error] [pid 15594] [client 45.75.196.15:55047] AH78006: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH68405"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 15:57:52.628 2023] [autoindex:error] [pid 27528] [client 45.75.196.15:7558] AH68405: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH69396"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 19:08:02.279 2023] [autoindex:error] [pid 12668] [client 54.10.24.5:5784] AH69396: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH54343"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 11:03:07.575 2023] [autoindex:error] [pid 25414] [client 141.98.81.37:7854] AH54343: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH48781"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:35:03.794 2023] [autoindex:error] [pid 28373] [client 134.87.21.47:7854] AH48781: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH37302"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:40:57.782 2023] [autoindex:error] [pid 23511] [client 16.4.20.20:3527] AH37302: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH90958"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 15:12:50.995 2023] [autoindex:error] [pid 20389] [client 45.124.37.241:3527] AH90958: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH54284"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 19:04:11.540 2023] [autoindex:error] [pid 15369] [client 45.124.37.241:3014] AH54284: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH96209"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 18:17:00.907 2023] [autoindex:error] [pid 24547] [client 45.124.37.241:7854] AH96209: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH87909"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 01:36:33.656 2023] [autoindex:error] [pid 20883] [client 187.80.4.18:7558] AH87909: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"8905","id":"AH30218"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:04:28.129 2023] [autoindex:error] [pid 27260] [client 16.4.20.20:8905] AH30218: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"55047","id":"AH25578"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:55:34.259 2023] [autoindex:error] [pid 17570] [client 141.98.81.37:55047] AH25578: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH15435"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 09:20:45.468 2023] [autoindex:error] [pid 18259] [client 16.4.20.20:22] AH15435: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH75956"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 20:48:16.633 2023] [autoindex:error] [pid 17037] [client 45.75.196.15:26874] AH75956: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH27527"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:06:08.682 2023] [autoindex:error] [pid 16683] [client 54.10.24.5:5784] AH27527: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH85354"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 14:43:14.616 2023] [autoindex:error] [pid 14490] [client 16.4.20.20:55047] AH85354: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH66080"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:14:57.719 2023] [autoindex:error] [pid 15134] [client 40.220.102.15:26874] AH66080: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH80988"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 15:44:36.979 2023] [autoindex:error] [pid 18264] [client 141.98.81.37:22] AH80988: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH48681"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:01:30.914 2023] [autoindex:error] [pid 19837] [client 45.75.196.15:5784] AH48681: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH97035"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:37:29.655 2023] [autoindex:error] [pid 20161] [client 134.87.21.47:4277] AH97035: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7558","id":"AH98509"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 15:12:15.069 2023] [autoindex:error] [pid 23986] [client 54.10.24.5:7558] AH98509: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4277","id":"AH13389"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 01:46:31.932 2023] [autoindex:error] [pid 29194] [client 40.220.102.15:4277] AH13389: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH76956"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 08:36:57.359 2023] [autoindex:error] [pid 20924] [client 187.80.4.18:55047] AH76956: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH71345"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 09:09:24.827 2023] [autoindex:error] [pid 22521] [client 45.75.196.15:22] AH71345: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH47289"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 08:18:23.848 2023] [autoindex:error] [pid 24219] [client 45.75.196.15:4277] AH47289: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH96462"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:29:58.132 2023] [autoindex:error] [pid 28091] [client 134.87.21.47:55047] AH96462: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH97777"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:01:19.428 2023] [autoindex:error] [pid 18777] [client 134.87.21.47:26874] AH97777: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH53012"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 20:46:50.574 2023] [autoindex:error] [pid 19639] [client 187.80.4.18:3527] AH53012: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH80785"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 02:08:45.002 2023] [autoindex:error] [pid 20870] [client 16.4.20.20:4547] AH80785: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH27727"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 22:59:15.673 2023] [autoindex:error] [pid 26950] [client 45.124.37.241:4277] AH27727: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH62679"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:07:13.004 2023] [autoindex:error] [pid 16870] [client 187.80.4.18:8905] AH62679: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH75303"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:50:51.185 2023] [autoindex:error] [pid 10287] [client 45.124.37.241:4277] AH75303: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH22744"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 22:24:16.858 2023] [autoindex:error] [pid 14295] [client 16.4.20.20:3014] AH22744: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH64204"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:08:48.693 2023] [autoindex:error] [pid 24072] [client 134.87.21.47:4547] AH64204: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"8905","id":"AH18260"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sun Mar 05 02:17:00.513 2023] [autoindex:error] [pid 14522] [client 16.4.20.20:8905] AH18260: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3014","id":"AH55857"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 08:06:11.560 2023] [autoindex:error] [pid 23246] [client 141.98.81.37:3014] AH55857: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH87630"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 10:52:47.699 2023] [autoindex:error] [pid 26923] [client 187.80.4.18:5784] AH87630: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH90933"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 11:56:33.421 2023] [autoindex:error] [pid 12219] [client 45.124.37.241:7558] AH90933: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH58543"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 04:29:17.837 2023] [autoindex:error] [pid 15986] [client 134.87.21.47:26874] AH58543: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH21643"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:15:37.073 2023] [autoindex:error] [pid 17017] [client 40.220.102.15:5784] AH21643: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH99762"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 19:36:48.448 2023] [autoindex:error] [pid 24360] [client 45.124.37.241:3014] AH99762: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH38991"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 08 08:01:37.648 2023] [autoindex:error] [pid 14959] [client 45.75.196.15:8905] AH38991: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3527","id":"AH29851"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:06:21.037 2023] [autoindex:error] [pid 25235] [client 40.220.102.15:3527] AH29851: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"8905","id":"AH57418"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 12:10:32.900 2023] [autoindex:error] [pid 17306] [client 54.10.24.5:8905] AH57418: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH73796"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:07:40.968 2023] [autoindex:error] [pid 24390] [client 45.75.196.15:4547] AH73796: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH45406"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 21:58:09.534 2023] [autoindex:error] [pid 29625] [client 40.220.102.15:8905] AH45406: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"22","id":"AH91931"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 15:53:32.772 2023] [autoindex:error] [pid 10944] [client 54.10.24.5:22] AH91931: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4547","id":"AH45185"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 14:24:38.769 2023] [autoindex:error] [pid 13225] [client 141.98.81.37:4547] AH45185: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH13258"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:59:06.613 2023] [autoindex:error] [pid 22873] [client 141.98.81.37:8905] AH13258: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"22","id":"AH14774"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:03:49.072 2023] [autoindex:error] [pid 15961] [client 54.10.24.5:22] AH14774: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH22671"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:42:04.376 2023] [autoindex:error] [pid 12099] [client 134.87.21.47:4547] AH22671: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH39899"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:25:59.669 2023] [autoindex:error] [pid 14953] [client 141.98.81.37:22] AH39899: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH91457"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:41:35.644 2023] [autoindex:error] [pid 17555] [client 141.98.81.37:2222] AH91457: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"26874","id":"AH36601"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 19:12:06.807 2023] [autoindex:error] [pid 23667] [client 141.98.81.37:26874] AH36601: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3527","id":"AH52975"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:14:50.901 2023] [autoindex:error] [pid 13218] [client 40.220.102.15:3527] AH52975: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH51249"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 22:56:52.524 2023] [autoindex:error] [pid 10063] [client 141.98.81.37:3475] AH51249: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"55047","id":"AH12156"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 21:00:28.078 2023] [autoindex:error] [pid 13088] [client 141.98.81.37:55047] AH12156: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"8905","id":"AH13747"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 22:08:33.501 2023] [autoindex:error] [pid 26239] [client 54.10.24.5:8905] AH13747: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH17989"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 15:15:19.210 2023] [autoindex:error] [pid 18490] [client 16.4.20.20:3527] AH17989: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3475","id":"AH51158"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 22:05:08.966 2023] [autoindex:error] [pid 16026] [client 16.4.20.20:3475] AH51158: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"5784","id":"AH63464"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 15:01:51.978 2023] [autoindex:error] [pid 21599] [client 141.98.81.37:5784] AH63464: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH37671"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:14:50.910 2023] [autoindex:error] [pid 12448] [client 45.124.37.241:2222] AH37671: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH36753"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 15:45:30.587 2023] [autoindex:error] [pid 16634] [client 134.87.21.47:2222] AH36753: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH73945"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 11:09:22.098 2023] [autoindex:error] [pid 13375] [client 187.80.4.18:4277] AH73945: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH40410"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 08:35:31.573 2023] [autoindex:error] [pid 13580] [client 54.10.24.5:55047] AH40410: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH75344"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:58:11.016 2023] [autoindex:error] [pid 16981] [client 54.10.24.5:26874] AH75344: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"22","id":"AH80703"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:56:11.979 2023] [autoindex:error] [pid 24148] [client 134.87.21.47:22] AH80703: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"26874","id":"AH77458"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 08:24:02.096 2023] [autoindex:error] [pid 14164] [client 16.4.20.20:26874] AH77458: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH46793"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 05:04:35.206 2023] [autoindex:error] [pid 14722] [client 45.75.196.15:4277] AH46793: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH64312"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 08 02:45:04.797 2023] [autoindex:error] [pid 24183] [client 45.75.196.15:22] AH64312: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH85454"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:24:38.475 2023] [autoindex:error] [pid 16125] [client 187.80.4.18:5784] AH85454: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3527","id":"AH21384"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 00:42:38.214 2023] [autoindex:error] [pid 26446] [client 45.75.196.15:3527] AH21384: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH88421"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 13:34:55.594 2023] [autoindex:error] [pid 17241] [client 45.75.196.15:7854] AH88421: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH89599"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 03:08:32.970 2023] [autoindex:error] [pid 25112] [client 141.98.81.37:4277] AH89599: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3527","id":"AH32136"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:18:21.847 2023] [autoindex:error] [pid 26645] [client 45.75.196.15:3527] AH32136: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"8905","id":"AH31278"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 13:49:21.427 2023] [autoindex:error] [pid 22591] [client 54.10.24.5:8905] AH31278: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH56038"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 13:59:42.918 2023] [autoindex:error] [pid 22419] [client 45.124.37.241:5784] AH56038: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH49392"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 21:05:12.681 2023] [autoindex:error] [pid 24170] [client 134.87.21.47:26874] AH49392: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH80404"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:43:38.846 2023] [autoindex:error] [pid 18695] [client 45.124.37.241:3475] AH80404: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH38468"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 02:55:26.197 2023] [autoindex:error] [pid 23255] [client 141.98.81.37:4277] AH38468: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH59878"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 22:39:18.556 2023] [autoindex:error] [pid 18631] [client 134.87.21.47:8905] AH59878: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH96591"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 10:24:18.825 2023] [autoindex:error] [pid 23333] [client 45.124.37.241:3475] AH96591: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH85675"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 02:52:00.340 2023] [autoindex:error] [pid 18614] [client 141.98.81.37:3527] AH85675: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH25978"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 06:27:39.079 2023] [autoindex:error] [pid 21330] [client 45.75.196.15:22] AH25978: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH28686"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 08:26:42.409 2023] [autoindex:error] [pid 20997] [client 45.124.37.241:4277] AH28686: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH40523"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:33:50.327 2023] [autoindex:error] [pid 24532] [client 134.87.21.47:5784] AH40523: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH89102"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:09:20.061 2023] [autoindex:error] [pid 22729] [client 54.10.24.5:55047] AH89102: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH76255"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 01:39:59.017 2023] [autoindex:error] [pid 16731] [client 45.75.196.15:3014] AH76255: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH29030"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 06:10:22.024 2023] [autoindex:error] [pid 14680] [client 141.98.81.37:7558] AH29030: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"55047","id":"AH87801"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:41:33.525 2023] [autoindex:error] [pid 15787] [client 40.220.102.15:55047] AH87801: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH89842"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 17:03:23.312 2023] [autoindex:error] [pid 24411] [client 187.80.4.18:3014] AH89842: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH60860"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 05:21:01.171 2023] [autoindex:error] [pid 26802] [client 16.4.20.20:3014] AH60860: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH29840"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 16:37:19.431 2023] [autoindex:error] [pid 28065] [client 141.98.81.37:2222] AH29840: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH67144"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:12:18.823 2023] [autoindex:error] [pid 27779] [client 45.75.196.15:22] AH67144: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH65507"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 04:30:59.998 2023] [autoindex:error] [pid 20175] [client 54.10.24.5:5784] AH65507: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH27223"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 14:10:39.548 2023] [autoindex:error] [pid 29507] [client 45.124.37.241:22] AH27223: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH66887"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 19:35:11.344 2023] [autoindex:error] [pid 23874] [client 141.98.81.37:3475] AH66887: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH42478"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:55:47.855 2023] [autoindex:error] [pid 15542] [client 134.87.21.47:26874] AH42478: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH97741"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:48:19.298 2023] [autoindex:error] [pid 16606] [client 141.98.81.37:4277] AH97741: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH95181"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 16:00:01.033 2023] [autoindex:error] [pid 28204] [client 40.220.102.15:26874] AH95181: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7558","id":"AH80110"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:44:29.945 2023] [autoindex:error] [pid 16694] [client 40.220.102.15:7558] AH80110: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH17881"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:33:24.209 2023] [autoindex:error] [pid 21814] [client 45.75.196.15:8905] AH17881: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH48425"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 20:39:41.506 2023] [autoindex:error] [pid 25168] [client 45.124.37.241:22] AH48425: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3014","id":"AH87813"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:22:27.465 2023] [autoindex:error] [pid 26025] [client 40.220.102.15:3014] AH87813: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3475","id":"AH21239"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 19:06:45.715 2023] [autoindex:error] [pid 28917] [client 45.75.196.15:3475] AH21239: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH71059"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 23:51:26.666 2023] [autoindex:error] [pid 18954] [client 134.87.21.47:2222] AH71059: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH26938"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:16:58.378 2023] [autoindex:error] [pid 26759] [client 45.75.196.15:5784] AH26938: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH91695"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 08 00:07:41.800 2023] [autoindex:error] [pid 14283] [client 187.80.4.18:5784] AH91695: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"2222","id":"AH72925"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 23:40:18.243 2023] [autoindex:error] [pid 11904] [client 54.10.24.5:2222] AH72925: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH49554"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 23:45:56.887 2023] [autoindex:error] [pid 27912] [client 45.75.196.15:5784] AH49554: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH40495"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:15:11.959 2023] [autoindex:error] [pid 21306] [client 16.4.20.20:3014] AH40495: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"2222","id":"AH25775"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 01:21:57.139 2023] [autoindex:error] [pid 12431] [client 54.10.24.5:2222] AH25775: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH28883"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 01:52:47.244 2023] [autoindex:error] [pid 18481] [client 187.80.4.18:5784] AH28883: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"22","id":"AH78298"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 20:46:47.644 2023] [autoindex:error] [pid 12765] [client 40.220.102.15:22] AH78298: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH91171"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 10:15:18.872 2023] [autoindex:error] [pid 17231] [client 187.80.4.18:3527] AH91171: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"2222","id":"AH44896"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 04:40:47.005 2023] [autoindex:error] [pid 21032] [client 54.10.24.5:2222] AH44896: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH33727"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:40:05.384 2023] [autoindex:error] [pid 29079] [client 54.10.24.5:7854] AH33727: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH76160"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 14:11:47.102 2023] [autoindex:error] [pid 18392] [client 45.75.196.15:8905] AH76160: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH88859"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 16:38:17.039 2023] [autoindex:error] [pid 15807] [client 134.87.21.47:2222] AH88859: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH49057"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 11:34:41.541 2023] [autoindex:error] [pid 23403] [client 45.75.196.15:22] AH49057: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH98261"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 12:47:57.550 2023] [autoindex:error] [pid 17370] [client 40.220.102.15:7854] AH98261: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH58127"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sun Mar 05 23:26:12.212 2023] [autoindex:error] [pid 25691] [client 45.75.196.15:22] AH58127: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH21100"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 08 00:58:00.378 2023] [autoindex:error] [pid 26054] [client 45.124.37.241:22] AH21100: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"26874","id":"AH20550"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:42:50.767 2023] [autoindex:error] [pid 21308] [client 45.124.37.241:26874] AH20550: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH25411"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 21:20:38.327 2023] [autoindex:error] [pid 27262] [client 45.124.37.241:4547] AH25411: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"55047","id":"AH89055"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 09:34:13.540 2023] [autoindex:error] [pid 12586] [client 141.98.81.37:55047] AH89055: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH32985"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 03:39:07.910 2023] [autoindex:error] [pid 27330] [client 45.75.196.15:7854] AH32985: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH65514"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 17:00:57.278 2023] [autoindex:error] [pid 25344] [client 134.87.21.47:5784] AH65514: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH79663"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:14:28.003 2023] [autoindex:error] [pid 28116] [client 187.80.4.18:5784] AH79663: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH79943"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 19:09:09.457 2023] [autoindex:error] [pid 14570] [client 40.220.102.15:26874] AH79943: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH14314"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 05:05:12.878 2023] [autoindex:error] [pid 12935] [client 45.75.196.15:7854] AH14314: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3475","id":"AH96399"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 00:51:17.415 2023] [autoindex:error] [pid 15295] [client 45.75.196.15:3475] AH96399: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH58946"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 18:15:09.198 2023] [autoindex:error] [pid 16154] [client 134.87.21.47:3014] AH58946: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH89254"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 10:00:22.819 2023] [autoindex:error] [pid 13256] [client 134.87.21.47:5784] AH89254: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"8905","id":"AH73749"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 23:09:41.703 2023] [autoindex:error] [pid 14785] [client 54.10.24.5:8905] AH73749: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH51309"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:02:22.552 2023] [autoindex:error] [pid 11061] [client 134.87.21.47:8905] AH51309: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH24415"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 00:56:14.597 2023] [autoindex:error] [pid 14085] [client 45.124.37.241:3475] AH24415: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH88763"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:35:21.713 2023] [autoindex:error] [pid 26606] [client 45.124.37.241:7854] AH88763: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH10508"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 21:20:51.490 2023] [autoindex:error] [pid 20872] [client 45.75.196.15:4547] AH10508: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3527","id":"AH91550"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:45:13.532 2023] [autoindex:error] [pid 24981] [client 40.220.102.15:3527] AH91550: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7854","id":"AH84106"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:23:38.719 2023] [autoindex:error] [pid 18229] [client 16.4.20.20:7854] AH84106: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH95614"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 20:00:23.579 2023] [autoindex:error] [pid 12708] [client 54.10.24.5:7854] AH95614: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH41582"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:32:11.670 2023] [autoindex:error] [pid 15655] [client 54.10.24.5:5784] AH41582: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH97191"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 16:32:12.781 2023] [autoindex:error] [pid 28275] [client 141.98.81.37:2222] AH97191: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH94231"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 00:15:09.062 2023] [autoindex:error] [pid 13565] [client 134.87.21.47:8905] AH94231: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH53742"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 18:23:07.096 2023] [autoindex:error] [pid 23074] [client 54.10.24.5:4277] AH53742: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3475","id":"AH51634"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 01:42:02.264 2023] [autoindex:error] [pid 13031] [client 187.80.4.18:3475] AH51634: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH38260"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:02:44.628 2023] [autoindex:error] [pid 11048] [client 45.75.196.15:7854] AH38260: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3527","id":"AH31667"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 18:10:47.336 2023] [autoindex:error] [pid 20363] [client 54.10.24.5:3527] AH31667: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH66615"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 17:55:29.609 2023] [autoindex:error] [pid 28805] [client 141.98.81.37:4277] AH66615: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH98320"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 00:12:43.793 2023] [autoindex:error] [pid 19653] [client 45.124.37.241:7854] AH98320: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH69164"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:46:49.956 2023] [autoindex:error] [pid 17063] [client 187.80.4.18:55047] AH69164: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH36010"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 04:03:37.381 2023] [autoindex:error] [pid 10156] [client 187.80.4.18:3527] AH36010: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH13155"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 20:41:00.280 2023] [autoindex:error] [pid 17408] [client 187.80.4.18:55047] AH13155: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH59553"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 21:54:56.941 2023] [autoindex:error] [pid 14475] [client 141.98.81.37:2222] AH59553: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH39019"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:58:35.910 2023] [autoindex:error] [pid 21810] [client 40.220.102.15:5784] AH39019: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH65653"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:32:34.457 2023] [autoindex:error] [pid 10540] [client 45.75.196.15:3014] AH65653: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH59497"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 04:15:24.875 2023] [autoindex:error] [pid 16798] [client 187.80.4.18:4277] AH59497: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH99152"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 23:04:32.503 2023] [autoindex:error] [pid 12637] [client 54.10.24.5:26874] AH99152: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH77965"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 08 04:51:32.826 2023] [autoindex:error] [pid 11153] [client 134.87.21.47:3014] AH77965: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH87392"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 11:59:35.931 2023] [autoindex:error] [pid 17011] [client 54.10.24.5:4547] AH87392: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH20695"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 08 08:19:05.391 2023] [autoindex:error] [pid 22415] [client 45.124.37.241:3527] AH20695: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH56649"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 09:02:33.055 2023] [autoindex:error] [pid 18057] [client 134.87.21.47:55047] AH56649: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH39742"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 16:06:18.407 2023] [autoindex:error] [pid 12062] [client 54.10.24.5:26874] AH39742: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH67563"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:07:07.920 2023] [autoindex:error] [pid 25340] [client 134.87.21.47:3014] AH67563: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH69729"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 18:05:22.455 2023] [autoindex:error] [pid 13502] [client 45.75.196.15:7854] AH69729: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"26874","id":"AH19413"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 04:07:49.521 2023] [autoindex:error] [pid 15577] [client 187.80.4.18:26874] AH19413: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH75833"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 04:06:29.797 2023] [autoindex:error] [pid 10010] [client 187.80.4.18:55047] AH75833: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH61008"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 08 01:46:15.491 2023] [autoindex:error] [pid 28388] [client 45.75.196.15:3014] AH61008: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH63598"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 07:29:40.433 2023] [autoindex:error] [pid 16077] [client 141.98.81.37:4277] AH63598: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH43555"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:11:07.601 2023] [autoindex:error] [pid 29259] [client 45.124.37.241:2222] AH43555: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH35558"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 15:00:43.154 2023] [autoindex:error] [pid 13773] [client 141.98.81.37:3527] AH35558: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3475","id":"AH82374"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 12:46:29.800 2023] [autoindex:error] [pid 26294] [client 45.75.196.15:3475] AH82374: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH72684"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 15:42:52.868 2023] [autoindex:error] [pid 24788] [client 187.80.4.18:22] AH72684: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"2222","id":"AH38607"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 21:42:34.155 2023] [autoindex:error] [pid 19984] [client 45.75.196.15:2222] AH38607: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH77140"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 18:30:52.819 2023] [autoindex:error] [pid 22952] [client 45.124.37.241:3475] AH77140: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH20732"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 08 00:36:01.866 2023] [autoindex:error] [pid 19840] [client 54.10.24.5:7854] AH20732: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"8905","id":"AH71980"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:38:33.418 2023] [autoindex:error] [pid 26053] [client 54.10.24.5:8905] AH71980: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH72907"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 00:46:12.159 2023] [autoindex:error] [pid 27573] [client 134.87.21.47:4277] AH72907: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH18545"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 11:44:53.625 2023] [autoindex:error] [pid 20238] [client 54.10.24.5:4547] AH18545: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH33228"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 13:56:28.695 2023] [autoindex:error] [pid 29564] [client 45.124.37.241:4547] AH33228: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7558","id":"AH37180"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 00:23:52.570 2023] [autoindex:error] [pid 19479] [client 40.220.102.15:7558] AH37180: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH88029"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 23:19:19.458 2023] [autoindex:error] [pid 11494] [client 45.124.37.241:2222] AH88029: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH42951"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 09:37:16.383 2023] [autoindex:error] [pid 28584] [client 141.98.81.37:2222] AH42951: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH82731"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 19:06:51.687 2023] [autoindex:error] [pid 18766] [client 187.80.4.18:55047] AH82731: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH87805"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:51:04.701 2023] [autoindex:error] [pid 23716] [client 40.220.102.15:3475] AH87805: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7558","id":"AH86807"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 15:48:00.842 2023] [autoindex:error] [pid 12634] [client 54.10.24.5:7558] AH86807: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"5784","id":"AH92660"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 16:47:10.186 2023] [autoindex:error] [pid 11921] [client 141.98.81.37:5784] AH92660: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH86625"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 17:11:01.968 2023] [autoindex:error] [pid 21904] [client 134.87.21.47:5784] AH86625: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7558","id":"AH60090"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 02:58:17.457 2023] [autoindex:error] [pid 25709] [client 54.10.24.5:7558] AH60090: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH13204"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:56:07.639 2023] [autoindex:error] [pid 21417] [client 134.87.21.47:55047] AH13204: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7558","id":"AH61613"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 08 04:01:32.356 2023] [autoindex:error] [pid 14107] [client 40.220.102.15:7558] AH61613: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH99760"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:44:30.197 2023] [autoindex:error] [pid 19552] [client 45.124.37.241:7854] AH99760: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH90804"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 13:14:33.019 2023] [autoindex:error] [pid 24127] [client 141.98.81.37:3527] AH90804: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH13192"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Fri Mar 03 21:42:12.080 2023] [autoindex:error] [pid 19617] [client 16.4.20.20:22] AH13192: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH24604"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 10:54:38.344 2023] [autoindex:error] [pid 14222] [client 40.220.102.15:8905] AH24604: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH37015"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:56:01.020 2023] [autoindex:error] [pid 11103] [client 187.80.4.18:5784] AH37015: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH31863"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 15:43:30.212 2023] [autoindex:error] [pid 25226] [client 40.220.102.15:5784] AH31863: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH86932"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 16:41:47.890 2023] [autoindex:error] [pid 10288] [client 45.124.37.241:4547] AH86932: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"8905","id":"AH56986"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:32:44.246 2023] [autoindex:error] [pid 12084] [client 16.4.20.20:8905] AH56986: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH86854"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 11:26:46.585 2023] [autoindex:error] [pid 19786] [client 45.124.37.241:22] AH86854: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH59938"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:09:12.088 2023] [autoindex:error] [pid 23032] [client 134.87.21.47:4547] AH59938: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH18455"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 20:57:59.533 2023] [autoindex:error] [pid 17834] [client 45.124.37.241:4547] AH18455: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH14883"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 21:31:33.442 2023] [autoindex:error] [pid 20945] [client 187.80.4.18:7558] AH14883: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH84425"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:17:42.819 2023] [autoindex:error] [pid 26774] [client 134.87.21.47:26874] AH84425: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7558","id":"AH61448"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 00:35:09.973 2023] [autoindex:error] [pid 23365] [client 16.4.20.20:7558] AH61448: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH63273"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 22:24:59.907 2023] [autoindex:error] [pid 16952] [client 45.75.196.15:5784] AH63273: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH45298"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 20:57:28.123 2023] [autoindex:error] [pid 12528] [client 45.124.37.241:3014] AH45298: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"26874","id":"AH20878"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 22:18:19.815 2023] [autoindex:error] [pid 15139] [client 45.124.37.241:26874] AH20878: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH64469"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 01 19:46:15.169 2023] [autoindex:error] [pid 26514] [client 134.87.21.47:5784] AH64469: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3475","id":"AH13094"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 23:11:18.785 2023] [autoindex:error] [pid 29399] [client 134.87.21.47:3475] AH13094: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH11403"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 13:00:14.721 2023] [autoindex:error] [pid 14862] [client 16.4.20.20:4547] AH11403: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4547","id":"AH31780"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:56:50.669 2023] [autoindex:error] [pid 25892] [client 40.220.102.15:4547] AH31780: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7558","id":"AH21957"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 00:47:25.090 2023] [autoindex:error] [pid 28579] [client 134.87.21.47:7558] AH21957: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7854","id":"AH67320"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 22:12:38.992 2023] [autoindex:error] [pid 26656] [client 187.80.4.18:7854] AH67320: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH69947"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 22:14:36.975 2023] [autoindex:error] [pid 17492] [client 16.4.20.20:5784] AH69947: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH62725"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 08 08:04:16.985 2023] [autoindex:error] [pid 28092] [client 16.4.20.20:55047] AH62725: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3475","id":"AH69639"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 00:51:40.503 2023] [autoindex:error] [pid 22281] [client 187.80.4.18:3475] AH69639: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH86187"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:39:34.706 2023] [autoindex:error] [pid 19604] [client 40.220.102.15:7854] AH86187: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH76423"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 06:48:21.914 2023] [autoindex:error] [pid 22960] [client 187.80.4.18:22] AH76423: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH14152"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 12:48:02.084 2023] [autoindex:error] [pid 20888] [client 54.10.24.5:5784] AH14152: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"26874","id":"AH70032"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:25:58.736 2023] [autoindex:error] [pid 28585] [client 187.80.4.18:26874] AH70032: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH55796"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 01 21:42:44.559 2023] [autoindex:error] [pid 15394] [client 45.124.37.241:3014] AH55796: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH82152"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 13:16:12.394 2023] [autoindex:error] [pid 15119] [client 54.10.24.5:4547] AH82152: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH61889"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 13:17:08.491 2023] [autoindex:error] [pid 12645] [client 45.75.196.15:55047] AH61889: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH94728"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 04:42:04.223 2023] [autoindex:error] [pid 11928] [client 134.87.21.47:5784] AH94728: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3527","id":"AH29494"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:49:43.748 2023] [autoindex:error] [pid 18903] [client 54.10.24.5:3527] AH29494: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"55047","id":"AH99414"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 16:50:02.907 2023] [autoindex:error] [pid 15240] [client 40.220.102.15:55047] AH99414: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH86866"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:32:56.348 2023] [autoindex:error] [pid 25786] [client 45.124.37.241:7558] AH86866: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH16152"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 19:35:00.606 2023] [autoindex:error] [pid 22763] [client 134.87.21.47:3527] AH16152: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH46231"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 22:39:56.746 2023] [autoindex:error] [pid 28481] [client 45.124.37.241:7854] AH46231: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH74860"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:43:47.584 2023] [autoindex:error] [pid 15802] [client 134.87.21.47:26874] AH74860: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH77425"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:57:51.491 2023] [autoindex:error] [pid 16237] [client 141.98.81.37:3527] AH77425: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH17350"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 08 05:11:44.397 2023] [autoindex:error] [pid 23889] [client 54.10.24.5:4277] AH17350: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3014","id":"AH18749"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:15:38.464 2023] [autoindex:error] [pid 26193] [client 141.98.81.37:3014] AH18749: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH44108"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:19:23.778 2023] [autoindex:error] [pid 11106] [client 134.87.21.47:2222] AH44108: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3475","id":"AH68736"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 09:19:56.353 2023] [autoindex:error] [pid 17178] [client 16.4.20.20:3475] AH68736: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3527","id":"AH57859"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 08:27:53.131 2023] [autoindex:error] [pid 15158] [client 54.10.24.5:3527] AH57859: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3475","id":"AH42302"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 23:32:59.388 2023] [autoindex:error] [pid 19230] [client 54.10.24.5:3475] AH42302: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3014","id":"AH11900"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 15:53:01.408 2023] [autoindex:error] [pid 26849] [client 40.220.102.15:3014] AH11900: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH13130"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 00:39:30.808 2023] [autoindex:error] [pid 19528] [client 134.87.21.47:4277] AH13130: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH27603"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 16:46:55.933 2023] [autoindex:error] [pid 18363] [client 45.75.196.15:22] AH27603: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH13247"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:02:51.668 2023] [autoindex:error] [pid 11588] [client 45.75.196.15:4547] AH13247: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH38246"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:44:49.407 2023] [autoindex:error] [pid 24040] [client 187.80.4.18:3014] AH38246: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH68415"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 01 21:12:05.888 2023] [autoindex:error] [pid 28307] [client 141.98.81.37:8905] AH68415: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH30211"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 12:13:15.484 2023] [autoindex:error] [pid 21830] [client 45.75.196.15:4277] AH30211: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH11705"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 19:00:39.331 2023] [autoindex:error] [pid 27352] [client 45.124.37.241:4277] AH11705: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH65355"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 04:30:29.164 2023] [autoindex:error] [pid 23998] [client 16.4.20.20:3527] AH65355: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH49101"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 13:15:40.877 2023] [autoindex:error] [pid 21182] [client 134.87.21.47:2222] AH49101: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"26874","id":"AH99396"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 07:11:43.391 2023] [autoindex:error] [pid 23555] [client 187.80.4.18:26874] AH99396: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH98923"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:54:12.519 2023] [autoindex:error] [pid 18841] [client 45.75.196.15:55047] AH98923: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"22","id":"AH64951"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:41:03.689 2023] [autoindex:error] [pid 12087] [client 40.220.102.15:22] AH64951: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH66726"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 09:06:49.058 2023] [autoindex:error] [pid 18237] [client 45.124.37.241:3527] AH66726: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"5784","id":"AH46073"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:14:58.027 2023] [autoindex:error] [pid 22158] [client 141.98.81.37:5784] AH46073: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH68888"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:12:59.721 2023] [autoindex:error] [pid 27130] [client 45.124.37.241:3527] AH68888: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH93469"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Fri Mar 03 02:35:37.556 2023] [autoindex:error] [pid 27824] [client 141.98.81.37:22] AH93469: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4277","id":"AH60141"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 00:59:58.337 2023] [autoindex:error] [pid 21342] [client 40.220.102.15:4277] AH60141: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3475","id":"AH40872"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 20:03:09.131 2023] [autoindex:error] [pid 12501] [client 134.87.21.47:3475] AH40872: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"2222","id":"AH42439"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:35:20.634 2023] [autoindex:error] [pid 20022] [client 45.75.196.15:2222] AH42439: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH42713"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:23:09.012 2023] [autoindex:error] [pid 21718] [client 134.87.21.47:7854] AH42713: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3014","id":"AH68928"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:08:09.952 2023] [autoindex:error] [pid 19010] [client 54.10.24.5:3014] AH68928: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH18688"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:24:26.883 2023] [autoindex:error] [pid 18109] [client 45.124.37.241:3014] AH18688: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH80706"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 02:27:51.078 2023] [autoindex:error] [pid 27176] [client 134.87.21.47:55047] AH80706: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH99712"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 19:52:46.667 2023] [autoindex:error] [pid 14968] [client 16.4.20.20:5784] AH99712: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH90698"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 08 06:51:21.199 2023] [autoindex:error] [pid 17309] [client 45.124.37.241:7558] AH90698: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3475","id":"AH91074"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 18:43:41.533 2023] [autoindex:error] [pid 26485] [client 16.4.20.20:3475] AH91074: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"8905","id":"AH59388"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 16:13:45.098 2023] [autoindex:error] [pid 23645] [client 45.124.37.241:8905] AH59388: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH36651"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:49:12.625 2023] [autoindex:error] [pid 29012] [client 45.75.196.15:4547] AH36651: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH83381"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 23:06:57.185 2023] [autoindex:error] [pid 16576] [client 187.80.4.18:55047] AH83381: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH26029"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 00:57:30.554 2023] [autoindex:error] [pid 22893] [client 45.75.196.15:8905] AH26029: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH68874"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 05:52:36.142 2023] [autoindex:error] [pid 18175] [client 141.98.81.37:7558] AH68874: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH68444"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 23:43:40.748 2023] [autoindex:error] [pid 10020] [client 187.80.4.18:5784] AH68444: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH60089"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 13:35:07.866 2023] [autoindex:error] [pid 12259] [client 141.98.81.37:7854] AH60089: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"2222","id":"AH29359"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 13:11:20.193 2023] [autoindex:error] [pid 24630] [client 16.4.20.20:2222] AH29359: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH54244"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 14:57:31.874 2023] [autoindex:error] [pid 19165] [client 16.4.20.20:5784] AH54244: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH67659"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:18:14.451 2023] [autoindex:error] [pid 26486] [client 16.4.20.20:22] AH67659: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH19912"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 16:42:54.376 2023] [autoindex:error] [pid 23970] [client 16.4.20.20:22] AH19912: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH50684"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 05:09:29.291 2023] [autoindex:error] [pid 11691] [client 187.80.4.18:8905] AH50684: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH22491"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:34:07.303 2023] [autoindex:error] [pid 10961] [client 187.80.4.18:22] AH22491: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH74525"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:00:58.792 2023] [autoindex:error] [pid 26263] [client 45.75.196.15:7854] AH74525: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"26874","id":"AH94617"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sun Mar 05 16:26:07.857 2023] [autoindex:error] [pid 15808] [client 16.4.20.20:26874] AH94617: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4547","id":"AH60733"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:13:31.548 2023] [autoindex:error] [pid 16115] [client 40.220.102.15:4547] AH60733: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH79745"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 08:59:58.491 2023] [autoindex:error] [pid 20186] [client 16.4.20.20:3527] AH79745: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH76659"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 06:25:51.429 2023] [autoindex:error] [pid 14611] [client 141.98.81.37:8905] AH76659: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH66709"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 18:00:06.228 2023] [autoindex:error] [pid 26335] [client 134.87.21.47:4277] AH66709: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH30659"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 08 08:22:15.410 2023] [autoindex:error] [pid 15454] [client 54.10.24.5:26874] AH30659: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH32908"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:29:35.074 2023] [autoindex:error] [pid 20321] [client 40.220.102.15:8905] AH32908: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH96649"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 03:25:07.790 2023] [autoindex:error] [pid 22201] [client 54.10.24.5:5784] AH96649: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7558","id":"AH21344"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 01:07:29.637 2023] [autoindex:error] [pid 20400] [client 40.220.102.15:7558] AH21344: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH22257"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 00:36:02.760 2023] [autoindex:error] [pid 13328] [client 16.4.20.20:4547] AH22257: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH61360"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 14:38:54.897 2023] [autoindex:error] [pid 22461] [client 45.75.196.15:5784] AH61360: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH15493"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 22:17:43.600 2023] [autoindex:error] [pid 21298] [client 45.124.37.241:3475] AH15493: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"8905","id":"AH64008"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:09:04.365 2023] [autoindex:error] [pid 22072] [client 54.10.24.5:8905] AH64008: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH22214"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:34:26.065 2023] [autoindex:error] [pid 18444] [client 16.4.20.20:4277] AH22214: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH67719"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 16:04:39.627 2023] [autoindex:error] [pid 20279] [client 45.75.196.15:3014] AH67719: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"2222","id":"AH67629"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 19:42:47.308 2023] [autoindex:error] [pid 27717] [client 40.220.102.15:2222] AH67629: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH13155"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:50:34.584 2023] [autoindex:error] [pid 24876] [client 45.124.37.241:5784] AH13155: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH80116"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 18:53:26.334 2023] [autoindex:error] [pid 18509] [client 45.124.37.241:3014] AH80116: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH96210"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 17:51:40.081 2023] [autoindex:error] [pid 24758] [client 45.75.196.15:3014] AH96210: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH47359"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:03:23.177 2023] [autoindex:error] [pid 18348] [client 16.4.20.20:22] AH47359: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH68780"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 08 00:24:35.058 2023] [autoindex:error] [pid 29901] [client 134.87.21.47:4277] AH68780: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3527","id":"AH69767"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:38:33.578 2023] [autoindex:error] [pid 15671] [client 40.220.102.15:3527] AH69767: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH99589"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 23:57:25.874 2023] [autoindex:error] [pid 14019] [client 45.124.37.241:22] AH99589: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH38097"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 10:12:36.452 2023] [autoindex:error] [pid 25920] [client 141.98.81.37:22] AH38097: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH22246"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 10:34:54.706 2023] [autoindex:error] [pid 18286] [client 45.75.196.15:8905] AH22246: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH91886"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:21:06.061 2023] [autoindex:error] [pid 26148] [client 45.75.196.15:4277] AH91886: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH24265"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 11:01:32.755 2023] [autoindex:error] [pid 26485] [client 141.98.81.37:2222] AH24265: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH20856"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 04:06:54.214 2023] [autoindex:error] [pid 19750] [client 45.124.37.241:3527] AH20856: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH90385"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 20:35:01.925 2023] [autoindex:error] [pid 11662] [client 45.75.196.15:7558] AH90385: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH91824"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:48:32.363 2023] [autoindex:error] [pid 26731] [client 187.80.4.18:3014] AH91824: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH33199"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 08 04:30:47.300 2023] [autoindex:error] [pid 23506] [client 54.10.24.5:4547] AH33199: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH21237"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 22:26:21.403 2023] [autoindex:error] [pid 19174] [client 45.75.196.15:4277] AH21237: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH53880"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 14:20:32.025 2023] [autoindex:error] [pid 10678] [client 45.75.196.15:26874] AH53880: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH10528"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 01:51:46.982 2023] [autoindex:error] [pid 21261] [client 45.124.37.241:2222] AH10528: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"8905","id":"AH47205"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 10:14:37.828 2023] [autoindex:error] [pid 29394] [client 16.4.20.20:8905] AH47205: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7558","id":"AH85376"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:34:35.641 2023] [autoindex:error] [pid 24047] [client 40.220.102.15:7558] AH85376: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH47783"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:05:25.718 2023] [autoindex:error] [pid 23510] [client 54.10.24.5:4547] AH47783: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH44751"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:35:51.776 2023] [autoindex:error] [pid 28089] [client 141.98.81.37:2222] AH44751: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH24037"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 16:18:44.429 2023] [autoindex:error] [pid 23310] [client 54.10.24.5:26874] AH24037: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH57016"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 10:47:24.296 2023] [autoindex:error] [pid 25775] [client 187.80.4.18:3014] AH57016: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH42244"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 01:42:07.390 2023] [autoindex:error] [pid 11224] [client 134.87.21.47:55047] AH42244: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH37909"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:10:54.304 2023] [autoindex:error] [pid 11511] [client 45.75.196.15:4547] AH37909: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH98142"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:34:12.666 2023] [autoindex:error] [pid 23816] [client 134.87.21.47:55047] AH98142: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH10743"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 09:32:36.936 2023] [autoindex:error] [pid 11028] [client 45.75.196.15:26874] AH10743: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH30526"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 06:33:50.156 2023] [autoindex:error] [pid 12752] [client 40.220.102.15:8905] AH30526: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH41751"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 08 02:56:13.483 2023] [autoindex:error] [pid 11867] [client 134.87.21.47:2222] AH41751: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH56160"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 14:42:33.435 2023] [autoindex:error] [pid 10788] [client 40.220.102.15:26874] AH56160: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH86488"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sun Mar 05 20:10:00.747 2023] [autoindex:error] [pid 24082] [client 54.10.24.5:4547] AH86488: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH14343"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 08 08:03:31.024 2023] [autoindex:error] [pid 23040] [client 16.4.20.20:4277] AH14343: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH56645"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:59:11.343 2023] [autoindex:error] [pid 28706] [client 187.80.4.18:7558] AH56645: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"2222","id":"AH41069"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 01:20:24.943 2023] [autoindex:error] [pid 28596] [client 45.75.196.15:2222] AH41069: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH45386"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 14:50:13.304 2023] [autoindex:error] [pid 13711] [client 40.220.102.15:7854] AH45386: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"2222","id":"AH29745"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 03:27:06.302 2023] [autoindex:error] [pid 23873] [client 187.80.4.18:2222] AH29745: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH78277"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:56:40.319 2023] [autoindex:error] [pid 28070] [client 187.80.4.18:4277] AH78277: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH38670"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 09:16:52.643 2023] [autoindex:error] [pid 28659] [client 45.75.196.15:5784] AH38670: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH93951"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:43:49.453 2023] [autoindex:error] [pid 29746] [client 45.124.37.241:4547] AH93951: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH44166"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 17:30:25.664 2023] [autoindex:error] [pid 19937] [client 45.124.37.241:3475] AH44166: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH90918"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 16:26:58.614 2023] [autoindex:error] [pid 10635] [client 141.98.81.37:7558] AH90918: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH25725"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:56:00.909 2023] [autoindex:error] [pid 21564] [client 187.80.4.18:4277] AH25725: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"55047","id":"AH58030"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:03:52.752 2023] [autoindex:error] [pid 19022] [client 45.124.37.241:55047] AH58030: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH38306"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:28:24.155 2023] [autoindex:error] [pid 11703] [client 16.4.20.20:4547] AH38306: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"22","id":"AH12044"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 11:01:07.703 2023] [autoindex:error] [pid 16652] [client 40.220.102.15:22] AH12044: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH35266"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 17:00:52.100 2023] [autoindex:error] [pid 13873] [client 45.75.196.15:4547] AH35266: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH38080"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 04:30:59.978 2023] [autoindex:error] [pid 19770] [client 54.10.24.5:4277] AH38080: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH13987"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 15:24:09.244 2023] [autoindex:error] [pid 19182] [client 187.80.4.18:22] AH13987: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH85019"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:48:41.520 2023] [autoindex:error] [pid 17406] [client 40.220.102.15:5784] AH85019: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH68479"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 18:49:48.279 2023] [autoindex:error] [pid 21165] [client 187.80.4.18:3014] AH68479: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"55047","id":"AH38707"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 14:45:47.311 2023] [autoindex:error] [pid 11706] [client 141.98.81.37:55047] AH38707: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH87987"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sun Mar 05 03:00:08.302 2023] [autoindex:error] [pid 24078] [client 45.75.196.15:22] AH87987: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"2222","id":"AH62484"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 23:17:44.626 2023] [autoindex:error] [pid 20952] [client 45.75.196.15:2222] AH62484: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH83938"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:44:11.154 2023] [autoindex:error] [pid 12360] [client 134.87.21.47:4277] AH83938: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3475","id":"AH62081"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:58:44.045 2023] [autoindex:error] [pid 13320] [client 45.75.196.15:3475] AH62081: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH39178"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 16:35:23.044 2023] [autoindex:error] [pid 14534] [client 45.75.196.15:4277] AH39178: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"8905","id":"AH80539"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:57:11.502 2023] [autoindex:error] [pid 25678] [client 45.124.37.241:8905] AH80539: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7558","id":"AH88499"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:30:22.258 2023] [autoindex:error] [pid 27073] [client 134.87.21.47:7558] AH88499: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH16343"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 00:22:54.074 2023] [autoindex:error] [pid 14878] [client 134.87.21.47:3527] AH16343: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH90080"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:29:01.821 2023] [autoindex:error] [pid 21861] [client 141.98.81.37:7854] AH90080: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH24584"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 10:39:19.095 2023] [autoindex:error] [pid 13390] [client 187.80.4.18:3014] AH24584: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH65957"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 17:16:14.575 2023] [autoindex:error] [pid 27539] [client 141.98.81.37:7558] AH65957: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH89307"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 19:38:22.031 2023] [autoindex:error] [pid 15728] [client 54.10.24.5:26874] AH89307: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH42884"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 10:44:07.467 2023] [autoindex:error] [pid 28653] [client 45.124.37.241:3014] AH42884: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4277","id":"AH61352"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:18:59.165 2023] [autoindex:error] [pid 23347] [client 40.220.102.15:4277] AH61352: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"22","id":"AH57232"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 21:21:11.649 2023] [autoindex:error] [pid 17957] [client 54.10.24.5:22] AH57232: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH14782"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 12:09:35.624 2023] [autoindex:error] [pid 16461] [client 141.98.81.37:3475] AH14782: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"26874","id":"AH60396"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 10:19:48.956 2023] [autoindex:error] [pid 16969] [client 16.4.20.20:26874] AH60396: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH50740"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 01 17:38:55.876 2023] [autoindex:error] [pid 25481] [client 16.4.20.20:3014] AH50740: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH95151"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 08 01:29:50.481 2023] [autoindex:error] [pid 14024] [client 134.87.21.47:8905] AH95151: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH19006"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 09:23:37.323 2023] [autoindex:error] [pid 11272] [client 141.98.81.37:3527] AH19006: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH45437"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 22:46:37.466 2023] [autoindex:error] [pid 11613] [client 187.80.4.18:55047] AH45437: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"22","id":"AH74507"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 15:56:30.963 2023] [autoindex:error] [pid 17817] [client 134.87.21.47:22] AH74507: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH92939"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:44:26.088 2023] [autoindex:error] [pid 22335] [client 134.87.21.47:8905] AH92939: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH96849"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 17:33:24.745 2023] [autoindex:error] [pid 22550] [client 45.75.196.15:5784] AH96849: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH88861"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:25:55.764 2023] [autoindex:error] [pid 18876] [client 45.124.37.241:4547] AH88861: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"26874","id":"AH24164"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 10:21:50.609 2023] [autoindex:error] [pid 18642] [client 141.98.81.37:26874] AH24164: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7558","id":"AH57804"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 13:36:33.958 2023] [autoindex:error] [pid 21287] [client 134.87.21.47:7558] AH57804: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH78042"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:36:44.934 2023] [autoindex:error] [pid 23212] [client 187.80.4.18:22] AH78042: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH62674"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:43:44.026 2023] [autoindex:error] [pid 20917] [client 134.87.21.47:8905] AH62674: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH96391"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:32:57.491 2023] [autoindex:error] [pid 24292] [client 134.87.21.47:7854] AH96391: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH17950"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 00:15:24.731 2023] [autoindex:error] [pid 24696] [client 45.124.37.241:22] AH17950: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH86166"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:50:37.563 2023] [autoindex:error] [pid 13873] [client 45.124.37.241:22] AH86166: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4547","id":"AH35536"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 19:59:26.071 2023] [autoindex:error] [pid 19244] [client 40.220.102.15:4547] AH35536: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH83961"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 11:39:57.180 2023] [autoindex:error] [pid 17791] [client 187.80.4.18:3527] AH83961: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"2222","id":"AH77286"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:46:41.498 2023] [autoindex:error] [pid 12063] [client 40.220.102.15:2222] AH77286: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH44467"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:38:20.793 2023] [autoindex:error] [pid 24424] [client 45.124.37.241:2222] AH44467: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH59270"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 21:40:42.098 2023] [autoindex:error] [pid 19030] [client 134.87.21.47:8905] AH59270: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH95724"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 01:13:02.054 2023] [autoindex:error] [pid 22338] [client 45.75.196.15:26874] AH95724: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH12893"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 01:20:13.559 2023] [autoindex:error] [pid 25814] [client 134.87.21.47:4277] AH12893: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH51659"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:49:02.476 2023] [autoindex:error] [pid 29149] [client 141.98.81.37:7558] AH51659: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3014","id":"AH29442"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 08 07:57:10.333 2023] [autoindex:error] [pid 21348] [client 54.10.24.5:3014] AH29442: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH10143"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 02:54:15.759 2023] [autoindex:error] [pid 24162] [client 45.75.196.15:4547] AH10143: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH62917"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 05:03:36.130 2023] [autoindex:error] [pid 22135] [client 134.87.21.47:2222] AH62917: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH43101"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 13:57:07.911 2023] [autoindex:error] [pid 12965] [client 141.98.81.37:7854] AH43101: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7854","id":"AH85570"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 21:48:45.270 2023] [autoindex:error] [pid 15485] [client 187.80.4.18:7854] AH85570: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH10524"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 15:19:00.275 2023] [autoindex:error] [pid 19117] [client 45.124.37.241:4547] AH10524: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH25444"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 22:51:25.161 2023] [autoindex:error] [pid 12475] [client 187.80.4.18:55047] AH25444: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH24755"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:54:55.969 2023] [autoindex:error] [pid 18082] [client 134.87.21.47:3014] AH24755: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH21451"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 20:20:55.282 2023] [autoindex:error] [pid 15192] [client 16.4.20.20:3014] AH21451: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH71584"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 21:39:47.988 2023] [autoindex:error] [pid 21542] [client 45.124.37.241:4547] AH71584: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH99599"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:28:29.279 2023] [autoindex:error] [pid 21438] [client 45.124.37.241:5784] AH99599: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH94904"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:42:18.282 2023] [autoindex:error] [pid 23305] [client 45.75.196.15:7558] AH94904: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH36564"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 17:34:04.257 2023] [autoindex:error] [pid 19704] [client 45.75.196.15:3014] AH36564: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3475","id":"AH78506"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 08 04:04:45.973 2023] [autoindex:error] [pid 23619] [client 187.80.4.18:3475] AH78506: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH81570"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 21:19:31.234 2023] [autoindex:error] [pid 10838] [client 54.10.24.5:4277] AH81570: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"2222","id":"AH94728"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 03:14:20.846 2023] [autoindex:error] [pid 23626] [client 187.80.4.18:2222] AH94728: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH90559"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 01:45:30.933 2023] [autoindex:error] [pid 18826] [client 134.87.21.47:3527] AH90559: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"22","id":"AH51747"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:49:08.077 2023] [autoindex:error] [pid 13678] [client 40.220.102.15:22] AH51747: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH20855"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 13:02:40.702 2023] [autoindex:error] [pid 25413] [client 134.87.21.47:3014] AH20855: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH20731"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:02:12.759 2023] [autoindex:error] [pid 16095] [client 141.98.81.37:8905] AH20731: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH42103"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:36:43.877 2023] [autoindex:error] [pid 13141] [client 16.4.20.20:4277] AH42103: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH70419"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 08:38:19.165 2023] [autoindex:error] [pid 19576] [client 45.124.37.241:3475] AH70419: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH28869"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:25:52.526 2023] [autoindex:error] [pid 22830] [client 45.124.37.241:4277] AH28869: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3475","id":"AH76077"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Fri Mar 03 18:23:35.571 2023] [autoindex:error] [pid 18551] [client 187.80.4.18:3475] AH76077: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH69790"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 11:15:40.965 2023] [autoindex:error] [pid 21793] [client 16.4.20.20:22] AH69790: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3475","id":"AH12386"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 16:49:43.283 2023] [autoindex:error] [pid 20647] [client 45.75.196.15:3475] AH12386: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH60183"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 18:51:25.743 2023] [autoindex:error] [pid 18481] [client 16.4.20.20:5784] AH60183: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3475","id":"AH41767"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 09:25:21.247 2023] [autoindex:error] [pid 20406] [client 134.87.21.47:3475] AH41767: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH50286"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 14:28:19.619 2023] [autoindex:error] [pid 20618] [client 141.98.81.37:4277] AH50286: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"22","id":"AH76240"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 01:12:21.757 2023] [autoindex:error] [pid 13695] [client 54.10.24.5:22] AH76240: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH26568"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 01:38:45.530 2023] [autoindex:error] [pid 20886] [client 40.220.102.15:7854] AH26568: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH53602"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 13:14:41.684 2023] [autoindex:error] [pid 26274] [client 187.80.4.18:55047] AH53602: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH21443"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 08 00:49:07.814 2023] [autoindex:error] [pid 17667] [client 16.4.20.20:5784] AH21443: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH27561"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 07:48:37.167 2023] [autoindex:error] [pid 14717] [client 16.4.20.20:22] AH27561: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"55047","id":"AH12871"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 12:01:45.189 2023] [autoindex:error] [pid 13891] [client 45.124.37.241:55047] AH12871: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3475","id":"AH32077"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:20:03.775 2023] [autoindex:error] [pid 25058] [client 54.10.24.5:3475] AH32077: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3475","id":"AH92851"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:31:45.083 2023] [autoindex:error] [pid 17508] [client 187.80.4.18:3475] AH92851: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH27598"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 08 08:40:18.818 2023] [autoindex:error] [pid 21151] [client 134.87.21.47:26874] AH27598: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH89284"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:11:12.102 2023] [autoindex:error] [pid 28151] [client 40.220.102.15:26874] AH89284: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH25250"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 13:08:31.775 2023] [autoindex:error] [pid 27267] [client 16.4.20.20:4547] AH25250: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH20495"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 20:05:14.700 2023] [autoindex:error] [pid 18597] [client 45.75.196.15:4547] AH20495: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH75136"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:46:03.184 2023] [autoindex:error] [pid 14844] [client 187.80.4.18:5784] AH75136: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH41236"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 09:50:00.402 2023] [autoindex:error] [pid 16673] [client 134.87.21.47:3527] AH41236: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"26874","id":"AH74047"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:18:40.971 2023] [autoindex:error] [pid 17714] [client 45.124.37.241:26874] AH74047: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"55047","id":"AH69565"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 12:59:03.622 2023] [autoindex:error] [pid 15558] [client 40.220.102.15:55047] AH69565: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH78892"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 14:44:49.353 2023] [autoindex:error] [pid 23986] [client 16.4.20.20:3527] AH78892: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH15863"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 04:12:20.449 2023] [autoindex:error] [pid 25827] [client 40.220.102.15:3475] AH15863: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH24890"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 09:05:54.408 2023] [autoindex:error] [pid 13936] [client 45.124.37.241:4277] AH24890: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH42163"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 15:56:34.126 2023] [autoindex:error] [pid 17297] [client 141.98.81.37:3475] AH42163: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH79525"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 14:29:25.200 2023] [autoindex:error] [pid 26781] [client 134.87.21.47:3527] AH79525: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH70625"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 10:32:28.969 2023] [autoindex:error] [pid 17891] [client 16.4.20.20:3527] AH70625: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH14049"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 01 11:31:01.800 2023] [autoindex:error] [pid 14096] [client 45.124.37.241:3527] AH14049: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH67074"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:57:35.686 2023] [autoindex:error] [pid 23366] [client 141.98.81.37:3527] AH67074: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH28579"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:40:49.770 2023] [autoindex:error] [pid 23296] [client 45.75.196.15:55047] AH28579: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH97878"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 23:09:53.552 2023] [autoindex:error] [pid 27614] [client 187.80.4.18:55047] AH97878: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH77295"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 04:00:12.849 2023] [autoindex:error] [pid 24302] [client 45.75.196.15:7558] AH77295: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH43460"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:49:16.483 2023] [autoindex:error] [pid 16891] [client 40.220.102.15:8905] AH43460: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH48335"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sun Mar 05 06:50:44.638 2023] [autoindex:error] [pid 27977] [client 40.220.102.15:7854] AH48335: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3014","id":"AH11689"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 22:41:42.600 2023] [autoindex:error] [pid 18688] [client 141.98.81.37:3014] AH11689: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"26874","id":"AH94639"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 14:29:05.254 2023] [autoindex:error] [pid 29627] [client 187.80.4.18:26874] AH94639: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH23501"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 13:27:12.173 2023] [autoindex:error] [pid 26778] [client 187.80.4.18:3014] AH23501: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4547","id":"AH98363"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 01 10:24:29.360 2023] [autoindex:error] [pid 26053] [client 141.98.81.37:4547] AH98363: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH58115"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 11:04:13.896 2023] [autoindex:error] [pid 23434] [client 141.98.81.37:2222] AH58115: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7558","id":"AH98205"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:05:26.674 2023] [autoindex:error] [pid 25915] [client 40.220.102.15:7558] AH98205: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH44171"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 20:05:56.381 2023] [autoindex:error] [pid 21243] [client 45.75.196.15:3014] AH44171: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH31397"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 15:19:20.109 2023] [autoindex:error] [pid 12307] [client 134.87.21.47:2222] AH31397: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH28619"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 13:17:00.926 2023] [autoindex:error] [pid 14916] [client 54.10.24.5:55047] AH28619: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH25320"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 00:52:10.584 2023] [autoindex:error] [pid 15449] [client 45.124.37.241:7854] AH25320: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH41737"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 11:17:58.977 2023] [autoindex:error] [pid 24289] [client 40.220.102.15:3475] AH41737: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH37454"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 06:57:40.848 2023] [autoindex:error] [pid 29925] [client 187.80.4.18:8905] AH37454: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH90240"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 19:29:01.932 2023] [autoindex:error] [pid 13808] [client 45.75.196.15:5784] AH90240: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH79360"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 00:30:59.449 2023] [autoindex:error] [pid 23680] [client 187.80.4.18:5784] AH79360: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH28174"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 10:12:17.862 2023] [autoindex:error] [pid 26380] [client 45.75.196.15:55047] AH28174: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4547","id":"AH73263"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 09:45:13.771 2023] [autoindex:error] [pid 13424] [client 40.220.102.15:4547] AH73263: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH46949"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 17:57:18.830 2023] [autoindex:error] [pid 13784] [client 40.220.102.15:8905] AH46949: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH36088"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 11:47:56.509 2023] [autoindex:error] [pid 11210] [client 16.4.20.20:5784] AH36088: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"55047","id":"AH43888"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 16:34:56.994 2023] [autoindex:error] [pid 26711] [client 40.220.102.15:55047] AH43888: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH29652"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sun Mar 05 03:52:36.281 2023] [autoindex:error] [pid 21110] [client 141.98.81.37:7558] AH29652: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH97413"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 15:46:17.895 2023] [autoindex:error] [pid 17185] [client 16.4.20.20:4547] AH97413: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH31053"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:38:43.341 2023] [autoindex:error] [pid 26680] [client 45.75.196.15:7558] AH31053: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH43434"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 01:34:50.361 2023] [autoindex:error] [pid 25630] [client 45.124.37.241:7558] AH43434: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH98360"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:25:22.505 2023] [autoindex:error] [pid 18855] [client 141.98.81.37:2222] AH98360: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH64747"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sun Mar 05 21:20:22.754 2023] [autoindex:error] [pid 25266] [client 134.87.21.47:3527] AH64747: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH54147"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 15:46:37.195 2023] [autoindex:error] [pid 21816] [client 134.87.21.47:5784] AH54147: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH90956"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 19:50:07.174 2023] [autoindex:error] [pid 27042] [client 45.124.37.241:3527] AH90956: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH23729"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:45:44.489 2023] [autoindex:error] [pid 20227] [client 45.75.196.15:4277] AH23729: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH72337"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:42:24.875 2023] [autoindex:error] [pid 11349] [client 54.10.24.5:26874] AH72337: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH45864"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 01 17:00:15.579 2023] [autoindex:error] [pid 26554] [client 40.220.102.15:5784] AH45864: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH22293"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:00:15.565 2023] [autoindex:error] [pid 18447] [client 45.124.37.241:5784] AH22293: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH26152"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 16:12:21.190 2023] [autoindex:error] [pid 18288] [client 45.75.196.15:4547] AH26152: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3527","id":"AH77945"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 19:38:08.294 2023] [autoindex:error] [pid 18286] [client 54.10.24.5:3527] AH77945: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH21385"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sun Mar 05 11:01:38.116 2023] [autoindex:error] [pid 28698] [client 141.98.81.37:7558] AH21385: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"2222","id":"AH92883"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Fri Mar 03 13:02:42.814 2023] [autoindex:error] [pid 19757] [client 45.75.196.15:2222] AH92883: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH21392"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 20:54:21.519 2023] [autoindex:error] [pid 14965] [client 134.87.21.47:5784] AH21392: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH84729"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 01:11:59.492 2023] [autoindex:error] [pid 21144] [client 141.98.81.37:7854] AH84729: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH21859"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:43:02.627 2023] [autoindex:error] [pid 16733] [client 187.80.4.18:5784] AH21859: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH27402"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:41:31.807 2023] [autoindex:error] [pid 14799] [client 141.98.81.37:8905] AH27402: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH23804"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 19:31:43.916 2023] [autoindex:error] [pid 29386] [client 45.124.37.241:22] AH23804: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH70229"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 16:25:31.114 2023] [autoindex:error] [pid 20507] [client 45.75.196.15:4277] AH70229: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3014","id":"AH39645"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 04:51:49.322 2023] [autoindex:error] [pid 14775] [client 40.220.102.15:3014] AH39645: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH46395"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 12:55:16.522 2023] [autoindex:error] [pid 15663] [client 54.10.24.5:4277] AH46395: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH54497"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 04:20:43.601 2023] [autoindex:error] [pid 25500] [client 45.124.37.241:2222] AH54497: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"55047","id":"AH31142"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 14:37:14.779 2023] [autoindex:error] [pid 26618] [client 45.124.37.241:55047] AH31142: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH12069"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 07:19:53.557 2023] [autoindex:error] [pid 18590] [client 16.4.20.20:5784] AH12069: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH35336"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:03:34.799 2023] [autoindex:error] [pid 14001] [client 187.80.4.18:7558] AH35336: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH55590"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 14:58:03.983 2023] [autoindex:error] [pid 27102] [client 141.98.81.37:22] AH55590: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3527","id":"AH33610"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:32:10.874 2023] [autoindex:error] [pid 17539] [client 54.10.24.5:3527] AH33610: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH92514"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 10:26:11.728 2023] [autoindex:error] [pid 10021] [client 187.80.4.18:5784] AH92514: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH15424"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:34:15.933 2023] [autoindex:error] [pid 24897] [client 45.124.37.241:5784] AH15424: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH17983"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 23:38:47.208 2023] [autoindex:error] [pid 26439] [client 134.87.21.47:3014] AH17983: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH30219"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:13:07.648 2023] [autoindex:error] [pid 16456] [client 141.98.81.37:3475] AH30219: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH17920"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:45:28.235 2023] [autoindex:error] [pid 28700] [client 40.220.102.15:26874] AH17920: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4547","id":"AH93971"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 13:19:35.560 2023] [autoindex:error] [pid 17570] [client 40.220.102.15:4547] AH93971: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH14283"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 13:51:06.500 2023] [autoindex:error] [pid 23769] [client 54.10.24.5:4547] AH14283: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4277","id":"AH19994"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 16:51:35.527 2023] [autoindex:error] [pid 27588] [client 40.220.102.15:4277] AH19994: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4547","id":"AH16903"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:43:18.393 2023] [autoindex:error] [pid 28872] [client 141.98.81.37:4547] AH16903: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH16434"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:25:30.153 2023] [autoindex:error] [pid 14594] [client 40.220.102.15:3475] AH16434: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH73882"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 04:40:04.174 2023] [autoindex:error] [pid 10715] [client 45.124.37.241:22] AH73882: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"26874","id":"AH26099"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:56:30.805 2023] [autoindex:error] [pid 17053] [client 16.4.20.20:26874] AH26099: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH85415"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:00:00.706 2023] [autoindex:error] [pid 12998] [client 45.75.196.15:4277] AH85415: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"22","id":"AH10024"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 20:56:38.944 2023] [autoindex:error] [pid 20016] [client 134.87.21.47:22] AH10024: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH10227"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 08:50:37.809 2023] [autoindex:error] [pid 28742] [client 141.98.81.37:3475] AH10227: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH61177"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 23:27:19.306 2023] [autoindex:error] [pid 28558] [client 45.75.196.15:26874] AH61177: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH52626"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:23:01.095 2023] [autoindex:error] [pid 29912] [client 45.124.37.241:4547] AH52626: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH21183"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:49:37.134 2023] [autoindex:error] [pid 17651] [client 45.124.37.241:7854] AH21183: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH46803"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 10:54:31.686 2023] [autoindex:error] [pid 16230] [client 141.98.81.37:3527] AH46803: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"55047","id":"AH42741"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:03:09.170 2023] [autoindex:error] [pid 26100] [client 40.220.102.15:55047] AH42741: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH67302"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 04:06:40.843 2023] [autoindex:error] [pid 16684] [client 45.124.37.241:5784] AH67302: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"26874","id":"AH66264"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 09:18:07.036 2023] [autoindex:error] [pid 13712] [client 45.124.37.241:26874] AH66264: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH86153"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 01 20:32:54.131 2023] [autoindex:error] [pid 14461] [client 187.80.4.18:4277] AH86153: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH60084"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:22:52.588 2023] [autoindex:error] [pid 29683] [client 141.98.81.37:4277] AH60084: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH34695"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 13:19:50.542 2023] [autoindex:error] [pid 29901] [client 40.220.102.15:3475] AH34695: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"5784","id":"AH27267"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:31:37.239 2023] [autoindex:error] [pid 15399] [client 141.98.81.37:5784] AH27267: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH79087"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:58:34.064 2023] [autoindex:error] [pid 29648] [client 134.87.21.47:8905] AH79087: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH26360"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:43:50.545 2023] [autoindex:error] [pid 19369] [client 134.87.21.47:26874] AH26360: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7854","id":"AH85098"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:40:47.559 2023] [autoindex:error] [pid 14216] [client 16.4.20.20:7854] AH85098: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH64975"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 19:38:03.773 2023] [autoindex:error] [pid 23298] [client 187.80.4.18:22] AH64975: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH12685"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 11:36:59.530 2023] [autoindex:error] [pid 28313] [client 141.98.81.37:3527] AH12685: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"2222","id":"AH48361"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 15:18:57.065 2023] [autoindex:error] [pid 27704] [client 40.220.102.15:2222] AH48361: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7558","id":"AH94117"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 20:04:31.892 2023] [autoindex:error] [pid 15986] [client 16.4.20.20:7558] AH94117: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH43268"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 11:54:44.864 2023] [autoindex:error] [pid 20840] [client 16.4.20.20:4547] AH43268: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH25435"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 10:17:25.043 2023] [autoindex:error] [pid 15704] [client 134.87.21.47:26874] AH25435: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH73210"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:45:56.381 2023] [autoindex:error] [pid 26770] [client 16.4.20.20:22] AH73210: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"55047","id":"AH84360"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 04:46:12.320 2023] [autoindex:error] [pid 28623] [client 45.124.37.241:55047] AH84360: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH75322"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 08 07:16:55.276 2023] [autoindex:error] [pid 18272] [client 16.4.20.20:22] AH75322: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH73940"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:03:36.747 2023] [autoindex:error] [pid 15418] [client 45.124.37.241:3014] AH73940: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH78938"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 08 01:38:25.875 2023] [autoindex:error] [pid 20611] [client 134.87.21.47:55047] AH78938: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH21946"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:56:16.678 2023] [autoindex:error] [pid 11859] [client 134.87.21.47:4547] AH21946: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"22","id":"AH40141"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 00:50:40.441 2023] [autoindex:error] [pid 18291] [client 54.10.24.5:22] AH40141: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH56880"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 21:01:25.522 2023] [autoindex:error] [pid 11310] [client 134.87.21.47:3527] AH56880: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH77191"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Fri Mar 03 18:47:00.256 2023] [autoindex:error] [pid 14713] [client 54.10.24.5:7854] AH77191: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH55239"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 03:51:48.615 2023] [autoindex:error] [pid 17347] [client 141.98.81.37:3475] AH55239: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH98180"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 16:38:29.970 2023] [autoindex:error] [pid 23037] [client 45.75.196.15:55047] AH98180: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH44822"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 18:25:27.154 2023] [autoindex:error] [pid 12967] [client 45.75.196.15:22] AH44822: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7854","id":"AH45988"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 04:49:22.826 2023] [autoindex:error] [pid 16510] [client 187.80.4.18:7854] AH45988: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH65097"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 13:39:28.135 2023] [autoindex:error] [pid 18285] [client 16.4.20.20:5784] AH65097: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH60876"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 01 17:40:11.592 2023] [autoindex:error] [pid 19353] [client 134.87.21.47:4547] AH60876: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH43274"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:40:43.189 2023] [autoindex:error] [pid 12683] [client 40.220.102.15:5784] AH43274: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH21578"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:36:04.048 2023] [autoindex:error] [pid 23731] [client 16.4.20.20:5784] AH21578: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH58111"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 23:01:47.736 2023] [autoindex:error] [pid 21499] [client 40.220.102.15:5784] AH58111: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH64790"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 04:45:58.829 2023] [autoindex:error] [pid 26433] [client 45.124.37.241:4277] AH64790: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7558","id":"AH62725"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 03:56:45.585 2023] [autoindex:error] [pid 11102] [client 134.87.21.47:7558] AH62725: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH71078"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 15:10:01.541 2023] [autoindex:error] [pid 17161] [client 141.98.81.37:3475] AH71078: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH64506"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 02:17:42.675 2023] [autoindex:error] [pid 19638] [client 45.75.196.15:4277] AH64506: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH46428"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:57:44.649 2023] [autoindex:error] [pid 21048] [client 45.75.196.15:7854] AH46428: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH43289"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sun Mar 05 15:31:56.959 2023] [autoindex:error] [pid 23282] [client 187.80.4.18:8905] AH43289: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3527","id":"AH44271"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 14:25:13.494 2023] [autoindex:error] [pid 19846] [client 40.220.102.15:3527] AH44271: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH77542"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 03:08:04.614 2023] [autoindex:error] [pid 28928] [client 45.124.37.241:3014] AH77542: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH92400"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:27:22.156 2023] [autoindex:error] [pid 10675] [client 141.98.81.37:4277] AH92400: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH45370"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 08 01:03:21.420 2023] [autoindex:error] [pid 24259] [client 45.75.196.15:4547] AH45370: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH71735"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 11:35:38.209 2023] [autoindex:error] [pid 19662] [client 187.80.4.18:55047] AH71735: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"22","id":"AH45990"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 20:40:07.850 2023] [autoindex:error] [pid 19945] [client 40.220.102.15:22] AH45990: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"22","id":"AH98584"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 01:43:56.431 2023] [autoindex:error] [pid 10725] [client 134.87.21.47:22] AH98584: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH99908"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 23:37:00.223 2023] [autoindex:error] [pid 19334] [client 141.98.81.37:2222] AH99908: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH49473"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:40:05.200 2023] [autoindex:error] [pid 27129] [client 45.75.196.15:8905] AH49473: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"55047","id":"AH79417"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:25:23.186 2023] [autoindex:error] [pid 23797] [client 45.124.37.241:55047] AH79417: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH14895"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 09:23:03.179 2023] [autoindex:error] [pid 19654] [client 45.124.37.241:22] AH14895: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4547","id":"AH81915"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 21:29:18.263 2023] [autoindex:error] [pid 23947] [client 141.98.81.37:4547] AH81915: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH37957"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:22:05.719 2023] [autoindex:error] [pid 16624] [client 45.124.37.241:4277] AH37957: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"55047","id":"AH45516"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:37:23.928 2023] [autoindex:error] [pid 23753] [client 40.220.102.15:55047] AH45516: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH92285"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 00:22:51.544 2023] [autoindex:error] [pid 25963] [client 45.75.196.15:8905] AH92285: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"22","id":"AH58665"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 01:45:14.914 2023] [autoindex:error] [pid 13500] [client 134.87.21.47:22] AH58665: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"8905","id":"AH42556"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 00:21:39.371 2023] [autoindex:error] [pid 11715] [client 45.124.37.241:8905] AH42556: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH49158"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:19:03.300 2023] [autoindex:error] [pid 29032] [client 141.98.81.37:3475] AH49158: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH71389"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 16:20:44.587 2023] [autoindex:error] [pid 21288] [client 187.80.4.18:22] AH71389: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH90835"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 00:25:39.277 2023] [autoindex:error] [pid 10118] [client 45.124.37.241:3014] AH90835: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH58860"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 14:56:53.082 2023] [autoindex:error] [pid 21211] [client 141.98.81.37:7854] AH58860: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH46436"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 08 01:36:47.178 2023] [autoindex:error] [pid 28766] [client 45.124.37.241:4547] AH46436: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7558","id":"AH65916"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:38:19.925 2023] [autoindex:error] [pid 10810] [client 134.87.21.47:7558] AH65916: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH51368"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 20:10:18.621 2023] [autoindex:error] [pid 28040] [client 16.4.20.20:55047] AH51368: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH32458"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:24:44.515 2023] [autoindex:error] [pid 11407] [client 40.220.102.15:7854] AH32458: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3527","id":"AH90675"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:16:10.770 2023] [autoindex:error] [pid 28312] [client 40.220.102.15:3527] AH90675: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH30852"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 04:22:44.190 2023] [autoindex:error] [pid 10094] [client 16.4.20.20:3527] AH30852: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH39242"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:57:30.310 2023] [autoindex:error] [pid 25596] [client 16.4.20.20:4277] AH39242: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH95446"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 08 07:42:46.030 2023] [autoindex:error] [pid 29849] [client 134.87.21.47:7854] AH95446: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH63499"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 14:06:00.029 2023] [autoindex:error] [pid 13834] [client 16.4.20.20:55047] AH63499: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"2222","id":"AH79452"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 19:53:23.973 2023] [autoindex:error] [pid 28178] [client 40.220.102.15:2222] AH79452: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7558","id":"AH91288"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 04:07:50.868 2023] [autoindex:error] [pid 11989] [client 54.10.24.5:7558] AH91288: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH84114"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:08:29.377 2023] [autoindex:error] [pid 21704] [client 187.80.4.18:7558] AH84114: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH41308"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:30:08.651 2023] [autoindex:error] [pid 24794] [client 134.87.21.47:5784] AH41308: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3475","id":"AH32647"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 11:27:13.008 2023] [autoindex:error] [pid 13160] [client 45.75.196.15:3475] AH32647: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH49068"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 01:15:41.917 2023] [autoindex:error] [pid 13465] [client 54.10.24.5:7854] AH49068: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH93168"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 01:43:10.295 2023] [autoindex:error] [pid 27836] [client 16.4.20.20:4547] AH93168: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH32778"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 22:33:11.075 2023] [autoindex:error] [pid 27204] [client 45.124.37.241:5784] AH32778: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3014","id":"AH73792"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 18:10:01.956 2023] [autoindex:error] [pid 18023] [client 40.220.102.15:3014] AH73792: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH67450"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 05:06:27.822 2023] [autoindex:error] [pid 23684] [client 16.4.20.20:22] AH67450: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH24021"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 03:12:03.043 2023] [autoindex:error] [pid 13038] [client 16.4.20.20:4277] AH24021: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH48020"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 18:23:57.976 2023] [autoindex:error] [pid 21801] [client 16.4.20.20:22] AH48020: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7558","id":"AH17721"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 21:33:10.315 2023] [autoindex:error] [pid 21174] [client 134.87.21.47:7558] AH17721: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7854","id":"AH79017"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:50:57.889 2023] [autoindex:error] [pid 10350] [client 187.80.4.18:7854] AH79017: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH78560"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 20:08:46.431 2023] [autoindex:error] [pid 19708] [client 134.87.21.47:7854] AH78560: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH61590"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:12:33.582 2023] [autoindex:error] [pid 16101] [client 40.220.102.15:3475] AH61590: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH18613"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 00:32:31.392 2023] [autoindex:error] [pid 13034] [client 40.220.102.15:3475] AH18613: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH15071"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 11:42:44.015 2023] [autoindex:error] [pid 19175] [client 45.124.37.241:3475] AH15071: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"22","id":"AH94673"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 12:54:06.436 2023] [autoindex:error] [pid 23312] [client 54.10.24.5:22] AH94673: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH64192"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 08:18:17.598 2023] [autoindex:error] [pid 28704] [client 187.80.4.18:4277] AH64192: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH65155"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:34:27.900 2023] [autoindex:error] [pid 11271] [client 45.75.196.15:26874] AH65155: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH24823"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 02:40:30.770 2023] [autoindex:error] [pid 24973] [client 187.80.4.18:7558] AH24823: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4547","id":"AH17985"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 03:33:22.202 2023] [autoindex:error] [pid 28763] [client 187.80.4.18:4547] AH17985: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH80035"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 18:50:28.209 2023] [autoindex:error] [pid 24290] [client 16.4.20.20:55047] AH80035: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH15328"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 01:36:25.233 2023] [autoindex:error] [pid 13538] [client 16.4.20.20:3527] AH15328: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH43976"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 18:32:02.418 2023] [autoindex:error] [pid 25849] [client 16.4.20.20:3527] AH43976: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH95688"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 15:43:07.757 2023] [autoindex:error] [pid 15929] [client 45.75.196.15:22] AH95688: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH90422"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:33:56.364 2023] [autoindex:error] [pid 28853] [client 187.80.4.18:4277] AH90422: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH16530"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 08:51:40.174 2023] [autoindex:error] [pid 21599] [client 45.75.196.15:4277] AH16530: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH58284"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 08 00:25:30.985 2023] [autoindex:error] [pid 26772] [client 187.80.4.18:22] AH58284: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4547","id":"AH55064"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:40:52.788 2023] [autoindex:error] [pid 16752] [client 141.98.81.37:4547] AH55064: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH44531"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 01:04:36.825 2023] [autoindex:error] [pid 12230] [client 16.4.20.20:3014] AH44531: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH57522"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 09:42:16.179 2023] [autoindex:error] [pid 16604] [client 16.4.20.20:55047] AH57522: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH60939"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 10:42:48.011 2023] [autoindex:error] [pid 14041] [client 16.4.20.20:4277] AH60939: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3014","id":"AH40098"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 19:10:13.249 2023] [autoindex:error] [pid 11231] [client 40.220.102.15:3014] AH40098: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH57309"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 08 02:23:13.689 2023] [autoindex:error] [pid 13773] [client 45.124.37.241:7558] AH57309: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH93834"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:50:51.737 2023] [autoindex:error] [pid 23770] [client 141.98.81.37:22] AH93834: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH72176"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 06:14:59.746 2023] [autoindex:error] [pid 15498] [client 54.10.24.5:26874] AH72176: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"26874","id":"AH27521"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 02:52:42.395 2023] [autoindex:error] [pid 18031] [client 187.80.4.18:26874] AH27521: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH95056"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:37:51.523 2023] [autoindex:error] [pid 26574] [client 45.75.196.15:8905] AH95056: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH85072"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 05:56:22.481 2023] [autoindex:error] [pid 24382] [client 134.87.21.47:4277] AH85072: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH81237"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 01:13:19.037 2023] [autoindex:error] [pid 13760] [client 54.10.24.5:4277] AH81237: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH33597"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:48:44.388 2023] [autoindex:error] [pid 20765] [client 134.87.21.47:7854] AH33597: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH70481"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 17:19:16.821 2023] [autoindex:error] [pid 19127] [client 16.4.20.20:4277] AH70481: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH85004"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 08 06:45:14.338 2023] [autoindex:error] [pid 26696] [client 134.87.21.47:2222] AH85004: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3475","id":"AH74746"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 04:35:54.666 2023] [autoindex:error] [pid 16452] [client 134.87.21.47:3475] AH74746: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH96055"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 19:35:55.022 2023] [autoindex:error] [pid 23237] [client 45.124.37.241:4277] AH96055: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH82152"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 01:15:30.686 2023] [autoindex:error] [pid 10228] [client 16.4.20.20:3527] AH82152: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH10325"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 06:44:25.142 2023] [autoindex:error] [pid 18784] [client 54.10.24.5:5784] AH10325: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH75260"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:31:25.005 2023] [autoindex:error] [pid 25974] [client 45.124.37.241:22] AH75260: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"2222","id":"AH77610"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 08:31:02.014 2023] [autoindex:error] [pid 16322] [client 187.80.4.18:2222] AH77610: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH27510"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 11:08:30.226 2023] [autoindex:error] [pid 24821] [client 45.75.196.15:22] AH27510: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH28576"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 01 12:44:53.321 2023] [autoindex:error] [pid 29473] [client 45.75.196.15:4547] AH28576: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH70009"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:49:22.269 2023] [autoindex:error] [pid 21336] [client 134.87.21.47:7854] AH70009: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH48568"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 23:07:23.715 2023] [autoindex:error] [pid 17727] [client 141.98.81.37:4277] AH48568: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3527","id":"AH45839"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:17:52.272 2023] [autoindex:error] [pid 14768] [client 134.87.21.47:3527] AH45839: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH27828"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 13:07:53.044 2023] [autoindex:error] [pid 29508] [client 16.4.20.20:5784] AH27828: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"5784","id":"AH68173"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 10:51:59.327 2023] [autoindex:error] [pid 20030] [client 187.80.4.18:5784] AH68173: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"26874","id":"AH12438"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 22:15:22.089 2023] [autoindex:error] [pid 25528] [client 141.98.81.37:26874] AH12438: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4547","id":"AH88305"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 14:49:55.268 2023] [autoindex:error] [pid 16569] [client 187.80.4.18:4547] AH88305: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"55047","id":"AH71961"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 08 06:12:03.336 2023] [autoindex:error] [pid 18379] [client 141.98.81.37:55047] AH71961: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"22","id":"AH72363"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:17:46.275 2023] [autoindex:error] [pid 17417] [client 187.80.4.18:22] AH72363: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH84029"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 22:12:14.903 2023] [autoindex:error] [pid 28031] [client 134.87.21.47:4547] AH84029: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH38357"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 12:12:53.854 2023] [autoindex:error] [pid 15524] [client 134.87.21.47:55047] AH38357: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7558","id":"AH84599"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:56:41.653 2023] [autoindex:error] [pid 12735] [client 134.87.21.47:7558] AH84599: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3475","id":"AH19364"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 00:24:59.417 2023] [autoindex:error] [pid 14183] [client 134.87.21.47:3475] AH19364: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH13520"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 21:37:09.696 2023] [autoindex:error] [pid 28119] [client 141.98.81.37:22] AH13520: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"2222","id":"AH39043"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 17:02:29.633 2023] [autoindex:error] [pid 12825] [client 187.80.4.18:2222] AH39043: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH27471"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 08:20:09.149 2023] [autoindex:error] [pid 13529] [client 45.75.196.15:55047] AH27471: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"22","id":"AH44201"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:28:20.809 2023] [autoindex:error] [pid 22809] [client 134.87.21.47:22] AH44201: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7854","id":"AH33764"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:33:38.160 2023] [autoindex:error] [pid 25006] [client 16.4.20.20:7854] AH33764: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"26874","id":"AH81100"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 12:52:06.550 2023] [autoindex:error] [pid 21259] [client 45.124.37.241:26874] AH81100: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH20706"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 08:01:59.727 2023] [autoindex:error] [pid 29412] [client 45.75.196.15:3014] AH20706: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH79083"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:22:47.540 2023] [autoindex:error] [pid 13041] [client 187.80.4.18:8905] AH79083: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH19621"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:49:38.661 2023] [autoindex:error] [pid 27883] [client 16.4.20.20:4547] AH19621: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4547","id":"AH14988"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:37:29.587 2023] [autoindex:error] [pid 20968] [client 141.98.81.37:4547] AH14988: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3014","id":"AH95949"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Thu Mar 02 13:38:17.725 2023] [autoindex:error] [pid 18322] [client 54.10.24.5:3014] AH95949: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3014","id":"AH12166"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:32:06.934 2023] [autoindex:error] [pid 29461] [client 40.220.102.15:3014] AH12166: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH70558"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 23:15:25.141 2023] [autoindex:error] [pid 24054] [client 134.87.21.47:8905] AH70558: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH14536"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 15:06:11.466 2023] [autoindex:error] [pid 20191] [client 134.87.21.47:8905] AH14536: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH70776"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 23:41:53.650 2023] [autoindex:error] [pid 24617] [client 134.87.21.47:55047] AH70776: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH32004"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 10:06:44.941 2023] [autoindex:error] [pid 25215] [client 54.10.24.5:55047] AH32004: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"8905","id":"AH72429"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:35:50.980 2023] [autoindex:error] [pid 11073] [client 45.124.37.241:8905] AH72429: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"8905","id":"AH51143"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 11:41:19.865 2023] [autoindex:error] [pid 22560] [client 45.124.37.241:8905] AH51143: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH57363"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:32:53.570 2023] [autoindex:error] [pid 23477] [client 16.4.20.20:3014] AH57363: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH34784"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 19:35:02.785 2023] [autoindex:error] [pid 22845] [client 134.87.21.47:5784] AH34784: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH66392"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 14:35:42.063 2023] [autoindex:error] [pid 22172] [client 45.75.196.15:26874] AH66392: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH26029"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 08:36:00.142 2023] [autoindex:error] [pid 19945] [client 54.10.24.5:7854] AH26029: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH99263"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 01 22:32:15.451 2023] [autoindex:error] [pid 20399] [client 40.220.102.15:3475] AH99263: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH69479"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:12:51.348 2023] [autoindex:error] [pid 18776] [client 187.80.4.18:3527] AH69479: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH49141"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 10:35:09.081 2023] [autoindex:error] [pid 28924] [client 54.10.24.5:55047] AH49141: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH27621"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 19:39:15.093 2023] [autoindex:error] [pid 15698] [client 54.10.24.5:7854] AH27621: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH10309"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:52:26.096 2023] [autoindex:error] [pid 24491] [client 45.75.196.15:8905] AH10309: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH77535"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:11:26.647 2023] [autoindex:error] [pid 21242] [client 54.10.24.5:26874] AH77535: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7854","id":"AH16171"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:41:54.728 2023] [autoindex:error] [pid 29620] [client 141.98.81.37:7854] AH16171: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH53181"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 15:22:07.853 2023] [autoindex:error] [pid 28350] [client 16.4.20.20:3527] AH53181: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3527","id":"AH63932"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 11:26:51.537 2023] [autoindex:error] [pid 15060] [client 141.98.81.37:3527] AH63932: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH73004"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:36:36.183 2023] [autoindex:error] [pid 11357] [client 45.75.196.15:5784] AH73004: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH79043"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:40:42.862 2023] [autoindex:error] [pid 11382] [client 45.75.196.15:22] AH79043: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7854","id":"AH56522"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 16:22:14.629 2023] [autoindex:error] [pid 23820] [client 16.4.20.20:7854] AH56522: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"2222","id":"AH87969"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 04:43:04.728 2023] [autoindex:error] [pid 20738] [client 40.220.102.15:2222] AH87969: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH17928"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 02:31:36.393 2023] [autoindex:error] [pid 22702] [client 187.80.4.18:3527] AH17928: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"55047","id":"AH14311"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 03:21:47.709 2023] [autoindex:error] [pid 25288] [client 45.75.196.15:55047] AH14311: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH18116"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:05:13.444 2023] [autoindex:error] [pid 29562] [client 45.75.196.15:26874] AH18116: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4277","id":"AH51627"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 15:23:10.426 2023] [autoindex:error] [pid 13991] [client 45.75.196.15:4277] AH51627: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH73980"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 17:37:41.145 2023] [autoindex:error] [pid 21160] [client 45.75.196.15:8905] AH73980: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH22795"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 22:52:07.928 2023] [autoindex:error] [pid 10942] [client 141.98.81.37:2222] AH22795: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH81578"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:21:58.373 2023] [autoindex:error] [pid 13792] [client 134.87.21.47:3014] AH81578: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH24810"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 01 17:56:36.316 2023] [autoindex:error] [pid 19179] [client 45.124.37.241:7854] AH24810: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH13905"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 17:38:09.395 2023] [autoindex:error] [pid 23024] [client 54.10.24.5:55047] AH13905: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3014","id":"AH54542"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 19:42:50.744 2023] [autoindex:error] [pid 16600] [client 40.220.102.15:3014] AH54542: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH70116"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 01 14:12:33.927 2023] [autoindex:error] [pid 23332] [client 45.75.196.15:3014] AH70116: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH86766"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:38:05.035 2023] [autoindex:error] [pid 26993] [client 187.80.4.18:7558] AH86766: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH20913"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 17:59:40.672 2023] [autoindex:error] [pid 22925] [client 45.75.196.15:3014] AH20913: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH29631"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 19:15:49.547 2023] [autoindex:error] [pid 17641] [client 16.4.20.20:4277] AH29631: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"55047","id":"AH21794"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Tue Mar 07 18:57:44.724 2023] [autoindex:error] [pid 15974] [client 40.220.102.15:55047] AH21794: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7854","id":"AH32792"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:14:25.164 2023] [autoindex:error] [pid 18812] [client 16.4.20.20:7854] AH32792: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH92017"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 12:37:06.217 2023] [autoindex:error] [pid 29373] [client 54.10.24.5:26874] AH92017: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH55817"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 18:00:26.862 2023] [autoindex:error] [pid 26838] [client 141.98.81.37:3475] AH55817: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH95521"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sun Mar 05 02:13:38.118 2023] [autoindex:error] [pid 15831] [client 141.98.81.37:7558] AH95521: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"22","id":"AH24599"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 01 18:42:31.314 2023] [autoindex:error] [pid 10704] [client 141.98.81.37:22] AH24599: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3475","id":"AH17816"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 17:41:47.264 2023] [autoindex:error] [pid 28414] [client 45.75.196.15:3475] AH17816: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH57893"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 12:33:23.517 2023] [autoindex:error] [pid 20318] [client 16.4.20.20:3014] AH57893: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH67988"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Mon Mar 06 10:15:18.611 2023] [autoindex:error] [pid 10724] [client 45.124.37.241:4547] AH67988: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3475","id":"AH49832"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 17:54:34.800 2023] [autoindex:error] [pid 27152] [client 54.10.24.5:3475] AH49832: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH22041"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:43:43.219 2023] [autoindex:error] [pid 15113] [client 134.87.21.47:5784] AH22041: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH40247"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 06:22:58.143 2023] [autoindex:error] [pid 23714] [client 134.87.21.47:5784] AH40247: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4547","id":"AH73934"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 03:25:48.413 2023] [autoindex:error] [pid 16030] [client 16.4.20.20:4547] AH73934: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3014","id":"AH82605"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 08:22:18.085 2023] [autoindex:error] [pid 10830] [client 54.10.24.5:3014] AH82605: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4277","id":"AH96284"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 22:39:56.331 2023] [autoindex:error] [pid 23982] [client 40.220.102.15:4277] AH96284: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH14244"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 01:21:46.642 2023] [autoindex:error] [pid 20645] [client 45.75.196.15:22] AH14244: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH94471"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 23:09:33.809 2023] [autoindex:error] [pid 17392] [client 16.4.20.20:3014] AH94471: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH70011"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Fri Mar 03 03:03:35.439 2023] [autoindex:error] [pid 24385] [client 45.124.37.241:7558] AH70011: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3475","id":"AH94130"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 01:36:04.177 2023] [autoindex:error] [pid 15455] [client 134.87.21.47:3475] AH94130: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7558","id":"AH37250"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 17:00:46.500 2023] [autoindex:error] [pid 29529] [client 54.10.24.5:7558] AH37250: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4547","id":"AH18214"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 10:41:22.434 2023] [autoindex:error] [pid 17594] [client 141.98.81.37:4547] AH18214: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH70074"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:17:52.238 2023] [autoindex:error] [pid 16839] [client 45.124.37.241:2222] AH70074: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH95313"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 17:33:54.847 2023] [autoindex:error] [pid 11730] [client 45.124.37.241:7854] AH95313: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH31264"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 15:25:24.386 2023] [autoindex:error] [pid 22314] [client 45.124.37.241:4277] AH31264: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH57024"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 20:00:43.948 2023] [autoindex:error] [pid 14393] [client 40.220.102.15:3475] AH57024: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7854","id":"AH28171"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:33:42.334 2023] [autoindex:error] [pid 17236] [client 187.80.4.18:7854] AH28171: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH60859"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 01 16:59:52.833 2023] [autoindex:error] [pid 25315] [client 54.10.24.5:5784] AH60859: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH13322"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Fri Mar 03 02:34:10.480 2023] [autoindex:error] [pid 25542] [client 134.87.21.47:4547] AH13322: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH93714"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 05:01:44.206 2023] [autoindex:error] [pid 18224] [client 45.75.196.15:7558] AH93714: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"55047","id":"AH91936"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 01:23:19.671 2023] [autoindex:error] [pid 27298] [client 141.98.81.37:55047] AH91936: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH66687"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sun Mar 05 18:55:25.003 2023] [autoindex:error] [pid 13454] [client 16.4.20.20:5784] AH66687: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH88036"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 01:03:47.135 2023] [autoindex:error] [pid 24219] [client 187.80.4.18:7558] AH88036: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH71875"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 01 19:54:22.722 2023] [autoindex:error] [pid 18367] [client 45.124.37.241:3014] AH71875: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3014","id":"AH21620"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 09:15:02.502 2023] [autoindex:error] [pid 18563] [client 54.10.24.5:3014] AH21620: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7854","id":"AH67231"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 19:28:33.737 2023] [autoindex:error] [pid 26077] [client 16.4.20.20:7854] AH67231: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"22","id":"AH87454"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 11:08:06.680 2023] [autoindex:error] [pid 17378] [client 134.87.21.47:22] AH87454: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH13745"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 15:14:30.157 2023] [autoindex:error] [pid 24508] [client 45.75.196.15:3014] AH13745: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH92737"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 00:20:12.906 2023] [autoindex:error] [pid 22846] [client 45.75.196.15:4547] AH92737: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"8905","id":"AH56389"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Thu Mar 02 02:55:01.804 2023] [autoindex:error] [pid 13106] [client 45.124.37.241:8905] AH56389: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7854","id":"AH46311"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 08 01:56:09.523 2023] [autoindex:error] [pid 18755] [client 54.10.24.5:7854] AH46311: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4277","id":"AH25436"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 22:45:15.603 2023] [autoindex:error] [pid 19113] [client 45.124.37.241:4277] AH25436: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH57142"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 01 18:40:47.732 2023] [autoindex:error] [pid 16974] [client 134.87.21.47:7854] AH57142: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH15333"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:59:49.471 2023] [autoindex:error] [pid 15098] [client 16.4.20.20:4277] AH15333: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH27522"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:47:29.173 2023] [autoindex:error] [pid 21790] [client 40.220.102.15:7854] AH27522: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH74885"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 02:10:51.266 2023] [autoindex:error] [pid 10175] [client 40.220.102.15:8905] AH74885: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"26874","id":"AH44946"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 00:47:04.990 2023] [autoindex:error] [pid 25685] [client 45.124.37.241:26874] AH44946: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"26874","id":"AH78939"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 18:09:16.183 2023] [autoindex:error] [pid 10028] [client 45.75.196.15:26874] AH78939: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH51661"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 15:02:37.697 2023] [autoindex:error] [pid 22186] [client 45.124.37.241:4547] AH51661: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH12773"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 00:24:33.427 2023] [autoindex:error] [pid 26805] [client 134.87.21.47:26874] AH12773: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH59315"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sun Mar 05 09:00:44.335 2023] [autoindex:error] [pid 21316] [client 16.4.20.20:3014] AH59315: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"7854","id":"AH52038"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 21:12:58.012 2023] [autoindex:error] [pid 12960] [client 40.220.102.15:7854] AH52038: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH79435"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:36:28.054 2023] [autoindex:error] [pid 20501] [client 45.75.196.15:8905] AH79435: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH96567"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 20:22:00.208 2023] [autoindex:error] [pid 28142] [client 16.4.20.20:55047] AH96567: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3527","id":"AH48554"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:13:16.662 2023] [autoindex:error] [pid 12972] [client 45.124.37.241:3527] AH48554: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH89526"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 11:25:12.156 2023] [autoindex:error] [pid 29953] [client 134.87.21.47:55047] AH89526: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7854","id":"AH82190"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:12:16.005 2023] [autoindex:error] [pid 20002] [client 45.75.196.15:7854] AH82190: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"5784","id":"AH17953"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 00:31:06.049 2023] [autoindex:error] [pid 29695] [client 45.75.196.15:5784] AH17953: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH10157"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 17:25:27.285 2023] [autoindex:error] [pid 28790] [client 187.80.4.18:7558] AH10157: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH83279"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:40:38.789 2023] [autoindex:error] [pid 23831] [client 141.98.81.37:7558] AH83279: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH15324"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 14:43:36.689 2023] [autoindex:error] [pid 25525] [client 134.87.21.47:7854] AH15324: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH38758"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:56:58.983 2023] [autoindex:error] [pid 12525] [client 141.98.81.37:4277] AH38758: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"8905","id":"AH83346"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:44:06.674 2023] [autoindex:error] [pid 13758] [client 134.87.21.47:8905] AH83346: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH39563"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 01:29:45.175 2023] [autoindex:error] [pid 25129] [client 45.124.37.241:2222] AH39563: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH46971"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 00:28:05.021 2023] [autoindex:error] [pid 27950] [client 45.124.37.241:22] AH46971: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH83602"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 17:41:50.822 2023] [autoindex:error] [pid 25049] [client 134.87.21.47:3014] AH83602: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH12606"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 19:55:48.743 2023] [autoindex:error] [pid 23391] [client 134.87.21.47:7854] AH12606: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3527","id":"AH61820"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Wed Mar 01 16:45:53.019 2023] [autoindex:error] [pid 27399] [client 187.80.4.18:3527] AH61820: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"55047","id":"AH96041"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 04:47:32.532 2023] [autoindex:error] [pid 13746] [client 141.98.81.37:55047] AH96041: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH59241"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 13:51:52.558 2023] [autoindex:error] [pid 19910] [client 16.4.20.20:5784] AH59241: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4277","id":"AH13234"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sat Mar 04 06:12:58.425 2023] [autoindex:error] [pid 13722] [client 40.220.102.15:4277] AH13234: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH38785"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 10:14:28.588 2023] [autoindex:error] [pid 15361] [client 16.4.20.20:22] AH38785: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH63777"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 23:30:12.101 2023] [autoindex:error] [pid 21589] [client 45.75.196.15:22] AH63777: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"22","id":"AH55740"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:50:21.283 2023] [autoindex:error] [pid 16978] [client 54.10.24.5:22] AH55740: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"5784","id":"AH40598"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Wed Mar 08 00:10:04.274 2023] [autoindex:error] [pid 11567] [client 54.10.24.5:5784] AH40598: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH47936"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 14:55:35.704 2023] [autoindex:error] [pid 27924] [client 45.75.196.15:3014] AH47936: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH12949"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:57:32.507 2023] [autoindex:error] [pid 27318] [client 187.80.4.18:4277] AH12949: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH95037"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 09:05:02.111 2023] [autoindex:error] [pid 27467] [client 16.4.20.20:4277] AH95037: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"22","id":"AH21922"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 10:59:14.617 2023] [autoindex:error] [pid 19560] [client 134.87.21.47:22] AH21922: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"2222","id":"AH55278"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Mon Mar 06 02:00:48.938 2023] [autoindex:error] [pid 18720] [client 45.124.37.241:2222] AH55278: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH67002"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 09:38:56.910 2023] [autoindex:error] [pid 24087] [client 45.124.37.241:3014] AH67002: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4547","id":"AH17018"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:33:24.885 2023] [autoindex:error] [pid 16943] [client 187.80.4.18:4547] AH17018: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"5784","id":"AH82516"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Mon Mar 06 11:18:27.087 2023] [autoindex:error] [pid 19380] [client 141.98.81.37:5784] AH82516: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH98640"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 17:34:43.038 2023] [autoindex:error] [pid 14170] [client 45.75.196.15:22] AH98640: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"55047","id":"AH61338"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Thu Mar 02 11:34:43.087 2023] [autoindex:error] [pid 26039] [client 134.87.21.47:55047] AH61338: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH15590"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 00:37:08.702 2023] [autoindex:error] [pid 18719] [client 54.10.24.5:55047] AH15590: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"2222","id":"AH53493"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Thu Mar 02 04:08:46.554 2023] [autoindex:error] [pid 26400] [client 40.220.102.15:2222] AH53493: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4277","id":"AH27377"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 08:23:43.137 2023] [autoindex:error] [pid 24791] [client 40.220.102.15:4277] AH27377: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH61567"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 16:46:26.548 2023] [autoindex:error] [pid 27329] [client 134.87.21.47:5784] AH61567: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"8905","id":"AH47094"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 22:44:09.726 2023] [autoindex:error] [pid 26547] [client 40.220.102.15:8905] AH47094: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3475","id":"AH64768"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 12:33:43.070 2023] [autoindex:error] [pid 28210] [client 54.10.24.5:3475] AH64768: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH64366"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sun Mar 05 02:09:07.718 2023] [autoindex:error] [pid 28225] [client 40.220.102.15:5784] AH64366: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH72068"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 20:01:58.961 2023] [autoindex:error] [pid 29723] [client 16.4.20.20:3527] AH72068: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH64458"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sat Mar 04 18:58:47.635 2023] [autoindex:error] [pid 13429] [client 141.98.81.37:2222] AH64458: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"55047","id":"AH89419"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 02:53:51.489 2023] [autoindex:error] [pid 14965] [client 54.10.24.5:55047] AH89419: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"3014","id":"AH46341"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:54:58.134 2023] [autoindex:error] [pid 27996] [client 187.80.4.18:3014] AH46341: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3475","id":"AH62324"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:20:41.946 2023] [autoindex:error] [pid 21133] [client 45.124.37.241:3475] AH62324: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"8905","id":"AH78684"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 06:15:36.054 2023] [autoindex:error] [pid 11535] [client 141.98.81.37:8905] AH78684: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7854","id":"AH25706"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 10:12:33.165 2023] [autoindex:error] [pid 10414] [client 45.124.37.241:7854] AH25706: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3014","id":"AH18279"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 13:15:27.900 2023] [autoindex:error] [pid 17670] [client 141.98.81.37:3014] AH18279: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH85862"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Tue Mar 07 11:50:31.593 2023] [autoindex:error] [pid 28357] [client 16.4.20.20:22] AH85862: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4547","id":"AH35977"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 12:54:50.859 2023] [autoindex:error] [pid 12581] [client 54.10.24.5:4547] AH35977: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"5784","id":"AH29719"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Tue Mar 07 06:30:41.272 2023] [autoindex:error] [pid 24255] [client 40.220.102.15:5784] AH29719: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"7854","id":"AH25511"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sun Mar 05 05:42:42.088 2023] [autoindex:error] [pid 27235] [client 16.4.20.20:7854] AH25511: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH40984"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 10:42:16.004 2023] [autoindex:error] [pid 28381] [client 134.87.21.47:3014] AH40984: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4547","id":"AH95108"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 14:07:48.604 2023] [autoindex:error] [pid 21533] [client 187.80.4.18:4547] AH95108: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4547","id":"AH27346"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Sun Mar 05 09:59:32.933 2023] [autoindex:error] [pid 24471] [client 134.87.21.47:4547] AH27346: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"2222","id":"AH25063"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Wed Mar 08 01:56:04.530 2023] [autoindex:error] [pid 10096] [client 54.10.24.5:2222] AH25063: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH69718"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Mon Mar 06 23:10:37.167 2023] [autoindex:error] [pid 21073] [client 134.87.21.47:7854] AH69718: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH68780"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sat Mar 04 12:41:04.141 2023] [autoindex:error] [pid 10928] [client 45.75.196.15:8905] AH68780: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"4277","id":"AH42819"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 09:15:18.883 2023] [autoindex:error] [pid 15614] [client 54.10.24.5:4277] AH42819: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"7854","id":"AH27876"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Sun Mar 05 17:33:24.325 2023] [autoindex:error] [pid 18947] [client 134.87.21.47:7854] AH27876: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3475","id":"AH15231"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 22:41:26.070 2023] [autoindex:error] [pid 12073] [client 54.10.24.5:3475] AH15231: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"3475","id":"AH72934"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 10:33:29.543 2023] [autoindex:error] [pid 19030] [client 40.220.102.15:3475] AH72934: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH85247"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sun Mar 05 02:05:19.839 2023] [autoindex:error] [pid 10288] [client 187.80.4.18:8905] AH85247: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH33149"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 03:04:51.462 2023] [autoindex:error] [pid 17211] [client 45.124.37.241:7558] AH33149: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3014","id":"AH90472"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Sat Mar 04 07:46:44.963 2023] [autoindex:error] [pid 14654] [client 54.10.24.5:3014] AH90472: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"4547","id":"AH42772"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Fri Mar 03 06:11:25.902 2023] [autoindex:error] [pid 12104] [client 40.220.102.15:4547] AH42772: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"8905","id":"AH89977"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 17:34:50.347 2023] [autoindex:error] [pid 12041] [client 45.124.37.241:8905] AH89977: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3014","id":"AH59431"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sun Mar 05 22:22:53.872 2023] [autoindex:error] [pid 14697] [client 16.4.20.20:3014] AH59431: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"26874","id":"AH62451"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Mon Mar 06 02:48:37.399 2023] [autoindex:error] [pid 24220] [client 141.98.81.37:26874] AH62451: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"22","id":"AH33123"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 01 18:53:59.233 2023] [autoindex:error] [pid 16977] [client 45.75.196.15:22] AH33123: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"26874","id":"AH83660"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Wed Mar 08 04:55:40.831 2023] [autoindex:error] [pid 10990] [client 134.87.21.47:26874] AH83660: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"55047","id":"AH28382"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Mon Mar 06 08:18:02.997 2023] [autoindex:error] [pid 12848] [client 16.4.20.20:55047] AH28382: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"7558","id":"AH80914"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Sun Mar 05 03:37:46.563 2023] [autoindex:error] [pid 20543] [client 54.10.24.5:7558] AH80914: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"2222","id":"AH82083"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Mon Mar 06 15:37:36.034 2023] [autoindex:error] [pid 17380] [client 45.75.196.15:2222] AH82083: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"8905","id":"AH96046"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Wed Mar 01 16:59:46.859 2023] [autoindex:error] [pid 22580] [client 16.4.20.20:8905] AH96046: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH24981"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 03:41:58.129 2023] [autoindex:error] [pid 19671] [client 45.75.196.15:3014] AH24981: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH24943"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:58:08.059 2023] [autoindex:error] [pid 17321] [client 134.87.21.47:2222] AH24943: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3014","id":"AH15995"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Wed Mar 01 16:30:16.474 2023] [autoindex:error] [pid 22192] [client 45.75.196.15:3014] AH15995: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7558","id":"AH50659"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:52:09.541 2023] [autoindex:error] [pid 12059] [client 187.80.4.18:7558] AH50659: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH24843"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 20:21:17.930 2023] [autoindex:error] [pid 23129] [client 134.87.21.47:5784] AH24843: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4547","id":"AH18501"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Fri Mar 03 05:50:59.777 2023] [autoindex:error] [pid 24029] [client 187.80.4.18:4547] AH18501: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"26874","id":"AH51848"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Mon Mar 06 07:00:04.987 2023] [autoindex:error] [pid 24905] [client 40.220.102.15:26874] AH51848: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3014","id":"AH41995"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 16:31:47.300 2023] [autoindex:error] [pid 22929] [client 141.98.81.37:3014] AH41995: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"8905","id":"AH38044"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 04:38:32.581 2023] [autoindex:error] [pid 29622] [client 187.80.4.18:8905] AH38044: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH91094"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 21:29:57.377 2023] [autoindex:error] [pid 16022] [client 16.4.20.20:3527] AH91094: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"3527","id":"AH86491"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 02:57:05.714 2023] [autoindex:error] [pid 24351] [client 45.75.196.15:3527] AH86491: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"7558","id":"AH45781"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Fri Mar 03 19:54:29.630 2023] [autoindex:error] [pid 17357] [client 141.98.81.37:7558] AH45781: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"22","id":"AH81029"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 20:37:11.637 2023] [autoindex:error] [pid 17312] [client 16.4.20.20:22] AH81029: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH93351"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Thu Mar 02 14:20:59.376 2023] [autoindex:error] [pid 27466] [client 187.80.4.18:55047] AH93351: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"4547","id":"AH33380"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Wed Mar 08 03:20:51.924 2023] [autoindex:error] [pid 19164] [client 45.75.196.15:4547] AH33380: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"5784","id":"AH34130"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 14:51:32.131 2023] [autoindex:error] [pid 24283] [client 141.98.81.37:5784] AH34130: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH50338"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"input":{"type":"log"},"full_log":"[Fri Mar 03 08:08:11.720 2023] [autoindex:error] [pid 13532] [client 45.124.37.241:22] AH50338: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"2222","id":"AH66177"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 16:19:02.118 2023] [autoindex:error] [pid 19708] [client 134.87.21.47:2222] AH66177: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3475","id":"AH50646"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Wed Mar 01 23:24:05.054 2023] [autoindex:error] [pid 24424] [client 16.4.20.20:3475] AH50646: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH66558"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"input":{"type":"log"},"full_log":"[Sun Mar 05 07:46:05.152 2023] [autoindex:error] [pid 27724] [client 134.87.21.47:4277] AH66558: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4277","id":"AH94444"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Fri Mar 03 14:00:12.588 2023] [autoindex:error] [pid 28334] [client 187.80.4.18:4277] AH94444: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"26874","id":"AH92252"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 05:51:57.886 2023] [autoindex:error] [pid 26361] [client 54.10.24.5:26874] AH92252: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"7854","id":"AH45352"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 20:47:57.510 2023] [autoindex:error] [pid 26605] [client 187.80.4.18:7854] AH45352: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"2222","id":"AH57057"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 12:05:28.337 2023] [autoindex:error] [pid 21113] [client 54.10.24.5:2222] AH57057: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"8905","id":"AH38525"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Fri Mar 03 13:42:15.850 2023] [autoindex:error] [pid 21718] [client 45.75.196.15:8905] AH38525: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"4277","id":"AH22430"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:00:30.398 2023] [autoindex:error] [pid 15913] [client 16.4.20.20:4277] AH22430: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.75.196.15","srcport":"7558","id":"AH27786"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 02:20:27.197 2023] [autoindex:error] [pid 29317] [client 45.75.196.15:7558] AH27786: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"54.10.24.5","srcport":"3014","id":"AH14922"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Mon Mar 06 02:49:14.273 2023] [autoindex:error] [pid 24757] [client 54.10.24.5:3014] AH14922: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"3014","id":"AH14721"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Sat Mar 04 13:54:26.472 2023] [autoindex:error] [pid 16729] [client 134.87.21.47:3014] AH14721: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"4547","id":"AH60753"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Thu Mar 02 07:30:03.711 2023] [autoindex:error] [pid 26095] [client 45.124.37.241:4547] AH60753: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH97997"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Fri Mar 03 07:02:37.169 2023] [autoindex:error] [pid 13378] [client 45.124.37.241:7558] AH97997: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH54070"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"input":{"type":"log"},"full_log":"[Sat Mar 04 18:31:09.969 2023] [autoindex:error] [pid 16274] [client 187.80.4.18:55047] AH54070: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"3475","id":"AH64186"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Sun Mar 05 01:21:46.413 2023] [autoindex:error] [pid 14349] [client 141.98.81.37:3475] AH64186: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"5784","id":"AH15430"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Wed Mar 08 04:48:37.396 2023] [autoindex:error] [pid 29163] [client 45.124.37.241:5784] AH15430: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"3014","id":"AH39238"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:38:15.125 2023] [autoindex:error] [pid 22817] [client 45.124.37.241:3014] AH39238: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"5784","id":"AH86394"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Sat Mar 04 03:10:48.775 2023] [autoindex:error] [pid 22004] [client 16.4.20.20:5784] AH86394: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"4547","id":"AH17565"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Fri Mar 03 13:32:28.473 2023] [autoindex:error] [pid 18768] [client 187.80.4.18:4547] AH17565: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"2222","id":"AH62622"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 05:49:56.160 2023] [autoindex:error] [pid 22439] [client 141.98.81.37:2222] AH62622: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"22","id":"AH77376"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Thu Mar 02 17:48:28.202 2023] [autoindex:error] [pid 10120] [client 45.124.37.241:22] AH77376: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"16.4.20.20","srcport":"3527","id":"AH36999"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"input":{"type":"log"},"full_log":"[Tue Mar 07 04:15:59.016 2023] [autoindex:error] [pid 14486] [client 16.4.20.20:3527] AH36999: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"40.220.102.15","srcport":"22","id":"AH27519"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"input":{"type":"log"},"full_log":"[Mon Mar 06 10:08:46.545 2023] [autoindex:error] [pid 25096] [client 40.220.102.15:22] AH27519: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"4277","id":"AH18714"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"input":{"type":"log"},"full_log":"[Tue Mar 07 20:15:27.851 2023] [autoindex:error] [pid 17277] [client 134.87.21.47:4277] AH18714: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"141.98.81.37","srcport":"4277","id":"AH86448"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"input":{"type":"log"},"full_log":"[Tue Mar 07 03:44:49.909 2023] [autoindex:error] [pid 13433] [client 141.98.81.37:4277] AH86448: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"45.124.37.241","srcport":"7558","id":"AH87847"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"input":{"type":"log"},"full_log":"[Tue Mar 07 07:10:40.458 2023] [autoindex:error] [pid 27482] [client 45.124.37.241:7558] AH87847: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"134.87.21.47","srcport":"5784","id":"AH91785"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"input":{"type":"log"},"full_log":"[Sat Mar 04 21:01:06.412 2023] [autoindex:error] [pid 27366] [client 134.87.21.47:5784] AH91785: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5.8","10.2.4"],"hipaa":["164.312.b"],"description":"Apache: Attempt to access forbidden directory index.","groups":["apache","web","access_denied"],"id":"30306","nist_800_53":["SA.11","AU.14","AC.7"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"apache-errorlog","name":"apache-errorlog"},"data":{"srcip":"187.80.4.18","srcport":"55047","id":"AH26745"},"location":"/var/log/httpd/error_log","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"input":{"type":"log"},"full_log":"[Wed Mar 01 09:41:55.609 2023] [autoindex:error] [pid 17799] [client 187.80.4.18:55047] AH26745: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [02/Mar/2023:02:42:22 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [03/Mar/2023:12:43:46 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [01/Mar/2023:10:00:21 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [07/Mar/2023:17:57:30 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [05/Mar/2023:19:01:02 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [05/Mar/2023:13:14:58 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"45.75.196.15 - - [05/Mar/2023:13:14:52 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:13:14:53 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:13:14:54 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:13:14:55 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [07/Mar/2023:10:43:00 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [01/Mar/2023:14:58:09 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [05/Mar/2023:07:15:58 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [05/Mar/2023:01:14:58 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [01/Mar/2023:17:24:34 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [01/Mar/2023:17:24:28 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [01/Mar/2023:17:24:29 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [01/Mar/2023:17:24:30 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [01/Mar/2023:17:24:31 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [05/Mar/2023:15:55:02 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"40.220.102.15 - - [05/Mar/2023:15:54:56 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [05/Mar/2023:15:54:57 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [05/Mar/2023:15:54:58 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [05/Mar/2023:15:54:59 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [01/Mar/2023:22:27:23 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"141.98.81.37 - - [01/Mar/2023:22:27:17 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [01/Mar/2023:22:27:18 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [01/Mar/2023:22:27:19 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [01/Mar/2023:22:27:20 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [03/Mar/2023:18:42:59 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [03/Mar/2023:15:28:10 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"187.80.4.18 - - [03/Mar/2023:15:28:04 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:15:28:05 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:15:28:06 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:15:28:07 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [05/Mar/2023:00:22:05 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [04/Mar/2023:12:03:20 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [05/Mar/2023:12:54:52 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"187.80.4.18 - - [05/Mar/2023:12:54:46 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [05/Mar/2023:12:54:47 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [05/Mar/2023:12:54:48 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [05/Mar/2023:12:54:49 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [08/Mar/2023:01:17:49 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [01/Mar/2023:09:24:33 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [02/Mar/2023:04:49:28 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"40.220.102.15 - - [02/Mar/2023:00:13:46 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [01/Mar/2023:12:01:43 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"141.98.81.37 - - [01/Mar/2023:12:01:37 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [01/Mar/2023:12:01:38 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [01/Mar/2023:12:01:39 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [01/Mar/2023:12:01:40 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [06/Mar/2023:07:17:44 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [04/Mar/2023:22:05:00 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [05/Mar/2023:10:39:27 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [05/Mar/2023:02:15:05 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"141.98.81.37 - - [05/Mar/2023:09:49:20 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"141.98.81.37 - - [05/Mar/2023:09:49:14 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [05/Mar/2023:09:49:15 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [05/Mar/2023:09:49:16 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [05/Mar/2023:09:49:17 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [02/Mar/2023:06:05:18 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.124.37.241 - - [02/Mar/2023:06:05:12 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:06:05:13 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:06:05:14 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:06:05:15 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [07/Mar/2023:22:23:40 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [06/Mar/2023:00:15:30 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"187.80.4.18 - - [06/Mar/2023:00:15:24 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n187.80.4.18 - - [06/Mar/2023:00:15:25 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n187.80.4.18 - - [06/Mar/2023:00:15:26 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n187.80.4.18 - - [06/Mar/2023:00:15:27 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [06/Mar/2023:12:56:41 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [04/Mar/2023:16:02:49 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.124.37.241 - - [05/Mar/2023:22:14:09 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"45.124.37.241 - - [05/Mar/2023:22:14:03 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:22:14:04 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:22:14:05 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:22:14:06 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [06/Mar/2023:16:36:02 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"45.75.196.15 - - [06/Mar/2023:16:35:56 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.75.196.15 - - [06/Mar/2023:16:35:57 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.75.196.15 - - [06/Mar/2023:16:35:58 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.75.196.15 - - [06/Mar/2023:16:35:59 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [07/Mar/2023:13:42:44 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"134.87.21.47 - - [07/Mar/2023:13:42:38 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n134.87.21.47 - - [07/Mar/2023:13:42:39 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n134.87.21.47 - - [07/Mar/2023:13:42:40 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n134.87.21.47 - - [07/Mar/2023:13:42:41 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [03/Mar/2023:23:40:43 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"54.10.24.5 - - [03/Mar/2023:23:40:37 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:23:40:38 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:23:40:39 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:23:40:40 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [07/Mar/2023:19:27:04 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"141.98.81.37 - - [07/Mar/2023:19:26:58 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n141.98.81.37 - - [07/Mar/2023:19:26:59 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n141.98.81.37 - - [07/Mar/2023:19:27:00 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n141.98.81.37 - - [07/Mar/2023:19:27:01 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [05/Mar/2023:10:44:08 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"54.10.24.5 - - [05/Mar/2023:10:44:02 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:10:44:03 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:10:44:04 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:10:44:05 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [04/Mar/2023:00:43:44 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [06/Mar/2023:12:05:54 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"16.4.20.20 - - [06/Mar/2023:12:05:48 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n16.4.20.20 - - [06/Mar/2023:12:05:49 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n16.4.20.20 - - [06/Mar/2023:12:05:50 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n16.4.20.20 - - [06/Mar/2023:12:05:51 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [06/Mar/2023:18:39:11 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [07/Mar/2023:11:35:25 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"16.4.20.20 - - [07/Mar/2023:11:35:19 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:11:35:20 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:11:35:21 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:11:35:22 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [06/Mar/2023:12:36:08 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"54.10.24.5 - - [06/Mar/2023:12:36:02 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n54.10.24.5 - - [06/Mar/2023:12:36:03 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n54.10.24.5 - - [06/Mar/2023:12:36:04 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n54.10.24.5 - - [06/Mar/2023:12:36:05 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [05/Mar/2023:01:43:06 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [03/Mar/2023:15:06:14 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [01/Mar/2023:13:47:29 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"134.87.21.47 - - [01/Mar/2023:13:47:23 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n134.87.21.47 - - [01/Mar/2023:13:47:24 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n134.87.21.47 - - [01/Mar/2023:13:47:25 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n134.87.21.47 - - [01/Mar/2023:13:47:26 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [06/Mar/2023:14:57:34 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [05/Mar/2023:05:58:51 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [02/Mar/2023:08:47:21 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"40.220.102.15 - - [02/Mar/2023:08:47:15 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [02/Mar/2023:08:47:16 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [02/Mar/2023:08:47:17 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [02/Mar/2023:08:47:18 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [04/Mar/2023:06:23:18 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"141.98.81.37 - - [04/Mar/2023:06:23:12 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n141.98.81.37 - - [04/Mar/2023:06:23:13 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n141.98.81.37 - - [04/Mar/2023:06:23:14 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n141.98.81.37 - - [04/Mar/2023:06:23:15 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [07/Mar/2023:16:55:06 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"187.80.4.18 - - [07/Mar/2023:16:55:00 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:16:55:01 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:16:55:02 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:16:55:03 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [05/Mar/2023:04:48:04 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"187.80.4.18 - - [05/Mar/2023:04:47:58 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:04:47:59 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:04:48:00 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:04:48:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [03/Mar/2023:15:31:01 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [07/Mar/2023:05:51:38 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"134.87.21.47 - - [07/Mar/2023:05:51:32 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [07/Mar/2023:05:51:33 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [07/Mar/2023:05:51:34 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [07/Mar/2023:05:51:35 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [02/Mar/2023:15:13:43 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"40.220.102.15 - - [02/Mar/2023:15:13:37 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n40.220.102.15 - - [02/Mar/2023:15:13:38 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n40.220.102.15 - - [02/Mar/2023:15:13:39 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n40.220.102.15 - - [02/Mar/2023:15:13:40 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [06/Mar/2023:10:30:05 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"134.87.21.47 - - [06/Mar/2023:10:29:59 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:10:30:00 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:10:30:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:10:30:02 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [06/Mar/2023:22:54:35 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [05/Mar/2023:04:12:11 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"40.220.102.15 - - [05/Mar/2023:04:12:05 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [05/Mar/2023:04:12:06 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [05/Mar/2023:04:12:07 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [05/Mar/2023:04:12:08 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [06/Mar/2023:15:56:42 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [01/Mar/2023:20:52:02 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"141.98.81.37 - - [01/Mar/2023:20:51:56 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [01/Mar/2023:20:51:57 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [01/Mar/2023:20:51:58 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [01/Mar/2023:20:51:59 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [03/Mar/2023:05:47:42 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"54.10.24.5 - - [03/Mar/2023:05:47:36 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:05:47:37 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:05:47:38 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:05:47:39 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [07/Mar/2023:15:39:03 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [02/Mar/2023:07:59:06 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [07/Mar/2023:22:27:50 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [07/Mar/2023:03:33:38 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"40.220.102.15 - - [07/Mar/2023:03:33:32 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:03:33:33 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:03:33:34 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:03:33:35 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [06/Mar/2023:03:21:28 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"","previous_output":"54.10.24.5 - - [06/Mar/2023:03:21:22 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n54.10.24.5 - - [06/Mar/2023:03:21:23 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n54.10.24.5 - - [06/Mar/2023:03:21:24 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n54.10.24.5 - - [06/Mar/2023:03:21:25 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [02/Mar/2023:08:46:20 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"45.124.37.241 - - [02/Mar/2023:08:46:14 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.124.37.241 - - [02/Mar/2023:08:46:15 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.124.37.241 - - [02/Mar/2023:08:46:16 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.124.37.241 - - [02/Mar/2023:08:46:17 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [04/Mar/2023:21:00:10 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [07/Mar/2023:01:39:33 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"54.10.24.5 - - [07/Mar/2023:01:39:27 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [07/Mar/2023:01:39:28 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [07/Mar/2023:01:39:29 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [07/Mar/2023:01:39:30 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [07/Mar/2023:08:01:10 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [02/Mar/2023:10:37:35 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"40.220.102.15 - - [02/Mar/2023:10:37:29 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:10:37:30 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:10:37:31 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:10:37:32 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [05/Mar/2023:12:01:24 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [05/Mar/2023:03:44:40 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [01/Mar/2023:11:08:11 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"16.4.20.20 - - [01/Mar/2023:11:08:05 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:11:08:06 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:11:08:07 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:11:08:08 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [03/Mar/2023:10:28:26 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [01/Mar/2023:23:09:08 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [01/Mar/2023:10:09:58 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.124.37.241 - - [01/Mar/2023:09:59:32 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"45.124.37.241 - - [01/Mar/2023:09:59:26 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [01/Mar/2023:09:59:27 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [01/Mar/2023:09:59:28 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [01/Mar/2023:09:59:29 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [03/Mar/2023:21:33:25 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"16.4.20.20 - - [03/Mar/2023:21:33:19 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n16.4.20.20 - - [03/Mar/2023:21:33:20 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n16.4.20.20 - - [03/Mar/2023:21:33:21 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n16.4.20.20 - - [03/Mar/2023:21:33:22 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [07/Mar/2023:07:15:27 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"134.87.21.47 - - [07/Mar/2023:07:15:21 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:07:15:22 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:07:15:23 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:07:15:24 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [07/Mar/2023:08:58:25 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [07/Mar/2023:04:21:37 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"45.124.37.241 - - [07/Mar/2023:04:21:31 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [07/Mar/2023:04:21:32 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [07/Mar/2023:04:21:33 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [07/Mar/2023:04:21:34 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [03/Mar/2023:22:15:40 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [05/Mar/2023:03:51:07 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"187.80.4.18 - - [05/Mar/2023:03:51:01 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:03:51:02 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:03:51:03 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:03:51:04 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [02/Mar/2023:22:01:38 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [04/Mar/2023:07:47:49 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [03/Mar/2023:12:59:24 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"16.4.20.20 - - [03/Mar/2023:12:59:18 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:12:59:19 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:12:59:20 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:12:59:21 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [03/Mar/2023:16:21:11 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [05/Mar/2023:17:15:54 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"","previous_output":"45.124.37.241 - - [05/Mar/2023:17:15:48 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n45.124.37.241 - - [05/Mar/2023:17:15:49 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n45.124.37.241 - - [05/Mar/2023:17:15:50 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n45.124.37.241 - - [05/Mar/2023:17:15:51 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [04/Mar/2023:03:36:10 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"45.75.196.15 - - [04/Mar/2023:03:36:04 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [04/Mar/2023:03:36:05 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [04/Mar/2023:03:36:06 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [04/Mar/2023:03:36:07 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [07/Mar/2023:08:15:55 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.124.37.241 - - [05/Mar/2023:01:54:38 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.124.37.241 - - [01/Mar/2023:18:37:11 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"45.124.37.241 - - [01/Mar/2023:18:37:05 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [01/Mar/2023:18:37:06 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [01/Mar/2023:18:37:07 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [01/Mar/2023:18:37:08 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [01/Mar/2023:22:38:01 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"187.80.4.18 - - [01/Mar/2023:22:37:55 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:22:37:56 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:22:37:57 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:22:37:58 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [03/Mar/2023:05:46:52 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [08/Mar/2023:07:01:22 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [04/Mar/2023:18:20:29 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"54.10.24.5 - - [04/Mar/2023:18:20:23 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:18:20:24 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:18:20:25 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:18:20:26 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [06/Mar/2023:06:17:06 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"141.98.81.37 - - [02/Mar/2023:05:34:43 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"141.98.81.37 - - [02/Mar/2023:05:34:37 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n141.98.81.37 - - [02/Mar/2023:05:34:38 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n141.98.81.37 - - [02/Mar/2023:05:34:39 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n141.98.81.37 - - [02/Mar/2023:05:34:40 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [04/Mar/2023:08:23:55 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [08/Mar/2023:07:58:26 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [07/Mar/2023:09:46:51 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"134.87.21.47 - - [05/Mar/2023:18:54:46 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [02/Mar/2023:10:53:44 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [06/Mar/2023:01:52:16 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"45.75.196.15 - - [06/Mar/2023:01:52:10 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:01:52:11 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:01:52:12 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:01:52:13 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [01/Mar/2023:22:42:01 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"45.124.37.241 - - [01/Mar/2023:22:41:55 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.124.37.241 - - [01/Mar/2023:22:41:56 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.124.37.241 - - [01/Mar/2023:22:41:57 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.124.37.241 - - [01/Mar/2023:22:41:58 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [01/Mar/2023:14:44:41 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [02/Mar/2023:15:03:33 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [01/Mar/2023:21:52:20 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"16.4.20.20 - - [01/Mar/2023:21:52:14 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n16.4.20.20 - - [01/Mar/2023:21:52:15 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n16.4.20.20 - - [01/Mar/2023:21:52:16 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n16.4.20.20 - - [01/Mar/2023:21:52:17 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [06/Mar/2023:04:22:47 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [07/Mar/2023:09:47:15 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"45.75.196.15 - - [07/Mar/2023:09:47:09 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:09:47:10 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:09:47:11 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:09:47:12 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [08/Mar/2023:01:16:23 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [07/Mar/2023:03:10:31 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [05/Mar/2023:08:36:43 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [02/Mar/2023:03:04:26 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"141.98.81.37 - - [02/Mar/2023:03:04:20 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [02/Mar/2023:03:04:21 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [02/Mar/2023:03:04:22 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [02/Mar/2023:03:04:23 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [02/Mar/2023:17:35:09 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"187.80.4.18 - - [02/Mar/2023:17:35:03 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [02/Mar/2023:17:35:04 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [02/Mar/2023:17:35:05 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [02/Mar/2023:17:35:06 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [05/Mar/2023:12:32:14 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [04/Mar/2023:15:31:11 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [04/Mar/2023:17:00:20 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [07/Mar/2023:16:36:00 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"45.75.196.15 - - [07/Mar/2023:16:35:54 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [07/Mar/2023:16:35:55 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [07/Mar/2023:16:35:56 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [07/Mar/2023:16:35:57 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [02/Mar/2023:03:25:22 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [06/Mar/2023:09:43:44 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [05/Mar/2023:03:56:46 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"45.75.196.15 - - [05/Mar/2023:03:56:40 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.75.196.15 - - [05/Mar/2023:03:56:41 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.75.196.15 - - [05/Mar/2023:03:56:42 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.75.196.15 - - [05/Mar/2023:03:56:43 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [01/Mar/2023:20:11:31 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [03/Mar/2023:04:52:36 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"45.124.37.241 - - [03/Mar/2023:04:52:30 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [03/Mar/2023:04:52:31 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [03/Mar/2023:04:52:32 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [03/Mar/2023:04:52:33 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [07/Mar/2023:00:21:51 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [01/Mar/2023:13:58:41 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [01/Mar/2023:11:59:44 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [05/Mar/2023:02:43:55 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"40.220.102.15 - - [05/Mar/2023:02:43:49 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [05/Mar/2023:02:43:50 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [05/Mar/2023:02:43:51 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [05/Mar/2023:02:43:52 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [07/Mar/2023:03:27:50 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"45.75.196.15 - - [07/Mar/2023:03:27:44 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [07/Mar/2023:03:27:45 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [07/Mar/2023:03:27:46 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [07/Mar/2023:03:27:47 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [05/Mar/2023:10:23:55 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [04/Mar/2023:19:54:39 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"141.98.81.37 - - [04/Mar/2023:19:54:33 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:19:54:34 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:19:54:35 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:19:54:36 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [07/Mar/2023:03:27:38 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [05/Mar/2023:13:28:49 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [07/Mar/2023:07:07:53 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [07/Mar/2023:16:38:15 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"40.220.102.15 - - [07/Mar/2023:16:38:09 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [07/Mar/2023:16:38:10 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [07/Mar/2023:16:38:11 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [07/Mar/2023:16:38:12 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.124.37.241 - - [05/Mar/2023:21:04:33 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [06/Mar/2023:17:48:03 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [05/Mar/2023:06:49:49 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [07/Mar/2023:03:55:26 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"16.4.20.20 - - [07/Mar/2023:03:55:20 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n16.4.20.20 - - [07/Mar/2023:03:55:21 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n16.4.20.20 - - [07/Mar/2023:03:55:22 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n16.4.20.20 - - [07/Mar/2023:03:55:23 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [08/Mar/2023:03:39:09 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"45.75.196.15 - - [08/Mar/2023:03:39:03 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [08/Mar/2023:03:39:04 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [08/Mar/2023:03:39:05 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [08/Mar/2023:03:39:06 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [04/Mar/2023:11:30:12 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"40.220.102.15 - - [04/Mar/2023:11:30:06 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:11:30:07 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:11:30:08 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:11:30:09 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [05/Mar/2023:12:33:58 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [04/Mar/2023:12:24:18 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"40.220.102.15 - - [04/Mar/2023:12:24:12 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n40.220.102.15 - - [04/Mar/2023:12:24:13 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n40.220.102.15 - - [04/Mar/2023:12:24:14 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n40.220.102.15 - - [04/Mar/2023:12:24:15 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [01/Mar/2023:15:45:14 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"16.4.20.20 - - [01/Mar/2023:15:45:08 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:15:45:09 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:15:45:10 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:15:45:11 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [01/Mar/2023:23:39:56 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"45.75.196.15 - - [01/Mar/2023:23:39:50 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [01/Mar/2023:23:39:51 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [01/Mar/2023:23:39:52 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [01/Mar/2023:23:39:53 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [02/Mar/2023:22:14:06 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [08/Mar/2023:07:09:08 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [04/Mar/2023:22:58:43 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"134.87.21.47 - - [04/Mar/2023:22:58:37 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:22:58:38 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:22:58:39 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:22:58:40 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"40.220.102.15 - - [08/Mar/2023:07:57:28 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [05/Mar/2023:06:21:36 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [07/Mar/2023:19:19:33 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [05/Mar/2023:09:11:17 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.124.37.241 - - [03/Mar/2023:00:34:41 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"45.124.37.241 - - [03/Mar/2023:00:34:35 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.124.37.241 - - [03/Mar/2023:00:34:36 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.124.37.241 - - [03/Mar/2023:00:34:37 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.124.37.241 - - [03/Mar/2023:00:34:38 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [06/Mar/2023:22:12:18 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [06/Mar/2023:20:02:39 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"45.124.37.241 - - [06/Mar/2023:20:02:33 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n45.124.37.241 - - [06/Mar/2023:20:02:34 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n45.124.37.241 - - [06/Mar/2023:20:02:35 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n45.124.37.241 - - [06/Mar/2023:20:02:36 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [04/Mar/2023:14:47:42 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"141.98.81.37 - - [04/Mar/2023:14:47:36 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:14:47:37 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:14:47:38 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:14:47:39 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [02/Mar/2023:17:21:59 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [03/Mar/2023:05:02:31 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"45.75.196.15 - - [03/Mar/2023:05:02:25 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:05:02:26 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:05:02:27 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:05:02:28 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [02/Mar/2023:23:27:37 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [03/Mar/2023:10:13:39 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [03/Mar/2023:05:12:54 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [02/Mar/2023:21:41:09 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [04/Mar/2023:02:37:04 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [07/Mar/2023:07:55:45 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"141.98.81.37 - - [07/Mar/2023:07:55:39 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [07/Mar/2023:07:55:40 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [07/Mar/2023:07:55:41 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [07/Mar/2023:07:55:42 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [04/Mar/2023:08:27:06 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [08/Mar/2023:05:18:42 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [08/Mar/2023:07:47:22 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"16.4.20.20 - - [08/Mar/2023:07:47:16 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n16.4.20.20 - - [08/Mar/2023:07:47:17 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n16.4.20.20 - - [08/Mar/2023:07:47:18 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n16.4.20.20 - - [08/Mar/2023:07:47:19 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:15:04:34 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"134.87.21.47 - - [06/Mar/2023:15:04:28 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:15:04:29 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:15:04:30 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:15:04:31 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.75.196.15 - - [07/Mar/2023:14:10:27 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"45.75.196.15 - - [07/Mar/2023:14:10:21 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [07/Mar/2023:14:10:22 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [07/Mar/2023:14:10:23 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [07/Mar/2023:14:10:24 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [04/Mar/2023:19:59:02 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"134.87.21.47 - - [04/Mar/2023:19:58:56 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:19:58:57 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:19:58:58 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:19:58:59 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [05/Mar/2023:04:15:45 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"187.80.4.18 - - [05/Mar/2023:04:15:39 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:04:15:40 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:04:15:41 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:04:15:42 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [06/Mar/2023:04:48:17 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"187.80.4.18 - - [06/Mar/2023:04:48:11 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:04:48:12 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:04:48:13 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:04:48:14 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [03/Mar/2023:08:03:04 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"134.87.21.47 - - [03/Mar/2023:08:02:58 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:08:02:59 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:08:03:00 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:08:03:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [02/Mar/2023:02:39:31 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [06/Mar/2023:13:29:36 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"134.87.21.47 - - [06/Mar/2023:13:29:30 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [06/Mar/2023:13:29:31 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [06/Mar/2023:13:29:32 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [06/Mar/2023:13:29:33 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [07/Mar/2023:09:06:09 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [05/Mar/2023:22:57:21 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"40.220.102.15 - - [05/Mar/2023:22:57:15 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [05/Mar/2023:22:57:16 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [05/Mar/2023:22:57:17 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [05/Mar/2023:22:57:18 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [02/Mar/2023:15:59:53 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [05/Mar/2023:14:08:41 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"16.4.20.20 - - [05/Mar/2023:14:08:35 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [05/Mar/2023:14:08:36 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [05/Mar/2023:14:08:37 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [05/Mar/2023:14:08:38 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [05/Mar/2023:17:51:26 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"16.4.20.20 - - [05/Mar/2023:17:51:20 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n16.4.20.20 - - [05/Mar/2023:17:51:21 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n16.4.20.20 - - [05/Mar/2023:17:51:22 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n16.4.20.20 - - [05/Mar/2023:17:51:23 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [06/Mar/2023:07:23:39 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"45.75.196.15 - - [06/Mar/2023:07:23:33 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:07:23:34 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:07:23:35 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:07:23:36 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [02/Mar/2023:18:04:59 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [05/Mar/2023:04:58:50 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [03/Mar/2023:00:18:28 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"187.80.4.18 - - [03/Mar/2023:00:18:22 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [03/Mar/2023:00:18:23 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [03/Mar/2023:00:18:24 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [03/Mar/2023:00:18:25 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [06/Mar/2023:17:58:33 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"45.124.37.241 - - [06/Mar/2023:17:58:27 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [06/Mar/2023:17:58:28 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [06/Mar/2023:17:58:29 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [06/Mar/2023:17:58:30 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [05/Mar/2023:16:24:00 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"45.75.196.15 - - [05/Mar/2023:16:23:54 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.75.196.15 - - [05/Mar/2023:16:23:55 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.75.196.15 - - [05/Mar/2023:16:23:56 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.75.196.15 - - [05/Mar/2023:16:23:57 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [05/Mar/2023:09:18:33 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"141.98.81.37 - - [05/Mar/2023:09:18:27 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n141.98.81.37 - - [05/Mar/2023:09:18:28 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n141.98.81.37 - - [05/Mar/2023:09:18:29 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n141.98.81.37 - - [05/Mar/2023:09:18:30 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [04/Mar/2023:16:21:55 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"45.124.37.241 - - [04/Mar/2023:16:21:49 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [04/Mar/2023:16:21:50 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [04/Mar/2023:16:21:51 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [04/Mar/2023:16:21:52 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [02/Mar/2023:05:16:01 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"45.75.196.15 - - [02/Mar/2023:05:15:55 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [02/Mar/2023:05:15:56 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [02/Mar/2023:05:15:57 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [02/Mar/2023:05:15:58 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [07/Mar/2023:17:54:27 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"134.87.21.47 - - [07/Mar/2023:17:54:21 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:17:54:22 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:17:54:23 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:17:54:24 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [08/Mar/2023:04:45:43 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"54.10.24.5 - - [08/Mar/2023:04:45:37 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:04:45:38 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:04:45:39 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:04:45:40 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [06/Mar/2023:09:03:44 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [04/Mar/2023:19:03:24 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [03/Mar/2023:04:48:33 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [05/Mar/2023:19:49:05 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"54.10.24.5 - - [05/Mar/2023:19:48:59 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:19:49:00 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:19:49:01 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:19:49:02 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [06/Mar/2023:12:21:34 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"141.98.81.37 - - [06/Mar/2023:12:21:28 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:12:21:29 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:12:21:30 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:12:21:31 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [05/Mar/2023:12:00:32 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"54.10.24.5 - - [05/Mar/2023:12:00:26 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n54.10.24.5 - - [05/Mar/2023:12:00:27 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n54.10.24.5 - - [05/Mar/2023:12:00:28 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n54.10.24.5 - - [05/Mar/2023:12:00:29 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [06/Mar/2023:05:11:44 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"45.124.37.241 - - [06/Mar/2023:05:11:38 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:05:11:39 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:05:11:40 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:05:11:41 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [05/Mar/2023:23:33:24 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [04/Mar/2023:13:23:58 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [06/Mar/2023:17:50:19 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [07/Mar/2023:22:51:36 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"54.10.24.5 - - [07/Mar/2023:22:51:30 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:22:51:31 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:22:51:32 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:22:51:33 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [07/Mar/2023:12:10:03 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [06/Mar/2023:13:23:22 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"187.80.4.18 - - [06/Mar/2023:13:23:16 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:13:23:17 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:13:23:18 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:13:23:19 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [05/Mar/2023:08:41:44 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"16.4.20.20 - - [05/Mar/2023:08:41:38 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n16.4.20.20 - - [05/Mar/2023:08:41:39 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n16.4.20.20 - - [05/Mar/2023:08:41:40 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n16.4.20.20 - - [05/Mar/2023:08:41:41 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [03/Mar/2023:20:36:02 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [04/Mar/2023:23:57:46 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"187.80.4.18 - - [04/Mar/2023:23:57:40 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [04/Mar/2023:23:57:41 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [04/Mar/2023:23:57:42 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [04/Mar/2023:23:57:43 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [02/Mar/2023:13:50:16 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"16.4.20.20 - - [02/Mar/2023:13:50:10 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [02/Mar/2023:13:50:11 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [02/Mar/2023:13:50:12 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [02/Mar/2023:13:50:13 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [04/Mar/2023:16:00:20 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"54.10.24.5 - - [04/Mar/2023:16:00:14 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n54.10.24.5 - - [04/Mar/2023:16:00:15 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n54.10.24.5 - - [04/Mar/2023:16:00:16 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n54.10.24.5 - - [04/Mar/2023:16:00:17 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [01/Mar/2023:14:13:50 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [05/Mar/2023:16:04:15 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"16.4.20.20 - - [05/Mar/2023:16:04:09 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n16.4.20.20 - - [05/Mar/2023:16:04:10 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n16.4.20.20 - - [05/Mar/2023:16:04:11 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n16.4.20.20 - - [05/Mar/2023:16:04:12 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [04/Mar/2023:08:01:56 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [04/Mar/2023:08:01:50 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:08:01:51 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:08:01:52 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:08:01:53 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [08/Mar/2023:06:52:49 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [06/Mar/2023:15:24:55 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"141.98.81.37 - - [06/Mar/2023:15:24:49 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n141.98.81.37 - - [06/Mar/2023:15:24:50 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n141.98.81.37 - - [06/Mar/2023:15:24:51 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n141.98.81.37 - - [06/Mar/2023:15:24:52 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [05/Mar/2023:09:19:55 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"187.80.4.18 - - [05/Mar/2023:09:19:49 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n187.80.4.18 - - [05/Mar/2023:09:19:50 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n187.80.4.18 - - [05/Mar/2023:09:19:51 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n187.80.4.18 - - [05/Mar/2023:09:19:52 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [04/Mar/2023:20:38:41 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [07/Mar/2023:03:12:31 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [02/Mar/2023:10:58:28 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"16.4.20.20 - - [02/Mar/2023:10:58:22 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [02/Mar/2023:10:58:23 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [02/Mar/2023:10:58:24 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [02/Mar/2023:10:58:25 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [03/Mar/2023:01:50:40 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"45.124.37.241 - - [03/Mar/2023:01:50:34 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [03/Mar/2023:01:50:35 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [03/Mar/2023:01:50:36 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [03/Mar/2023:01:50:37 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [07/Mar/2023:10:48:16 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"134.87.21.47 - - [07/Mar/2023:10:48:10 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:10:48:11 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:10:48:12 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:10:48:13 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [05/Mar/2023:03:15:54 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [08/Mar/2023:08:44:54 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [03/Mar/2023:09:51:16 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [05/Mar/2023:18:09:39 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [03/Mar/2023:23:17:35 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"45.124.37.241 - - [03/Mar/2023:23:17:29 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.124.37.241 - - [03/Mar/2023:23:17:30 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.124.37.241 - - [03/Mar/2023:23:17:31 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.124.37.241 - - [03/Mar/2023:23:17:32 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [07/Mar/2023:21:50:46 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"134.87.21.47 - - [07/Mar/2023:21:50:40 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:21:50:41 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:21:50:42 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:21:50:43 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [04/Mar/2023:23:01:22 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [01/Mar/2023:16:41:08 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [02/Mar/2023:23:04:17 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"40.220.102.15 - - [02/Mar/2023:23:04:11 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:23:04:12 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:23:04:13 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:23:04:14 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [07/Mar/2023:17:37:20 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"45.75.196.15 - - [07/Mar/2023:17:37:14 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:17:37:15 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:17:37:16 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:17:37:17 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [07/Mar/2023:19:14:23 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"40.220.102.15 - - [07/Mar/2023:19:14:17 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n40.220.102.15 - - [07/Mar/2023:19:14:18 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n40.220.102.15 - - [07/Mar/2023:19:14:19 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n40.220.102.15 - - [07/Mar/2023:19:14:20 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [03/Mar/2023:13:12:29 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"16.4.20.20 - - [03/Mar/2023:13:12:23 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:13:12:24 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:13:12:25 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:13:12:26 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [03/Mar/2023:14:45:36 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"54.10.24.5 - - [03/Mar/2023:14:45:30 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n54.10.24.5 - - [03/Mar/2023:14:45:31 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n54.10.24.5 - - [03/Mar/2023:14:45:32 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n54.10.24.5 - - [03/Mar/2023:14:45:33 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [05/Mar/2023:20:35:47 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"16.4.20.20 - - [05/Mar/2023:20:35:41 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n16.4.20.20 - - [05/Mar/2023:20:35:42 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n16.4.20.20 - - [05/Mar/2023:20:35:43 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n16.4.20.20 - - [05/Mar/2023:20:35:44 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [06/Mar/2023:12:35:12 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"","previous_output":"141.98.81.37 - - [06/Mar/2023:12:35:06 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n141.98.81.37 - - [06/Mar/2023:12:35:07 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n141.98.81.37 - - [06/Mar/2023:12:35:08 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n141.98.81.37 - - [06/Mar/2023:12:35:09 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [06/Mar/2023:07:28:27 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"141.98.81.37 - - [06/Mar/2023:07:28:21 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:07:28:22 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:07:28:23 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:07:28:24 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [05/Mar/2023:09:58:33 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"187.80.4.18 - - [05/Mar/2023:09:58:27 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:09:58:28 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:09:58:29 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n187.80.4.18 - - [05/Mar/2023:09:58:30 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [01/Mar/2023:22:14:21 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"187.80.4.18 - - [01/Mar/2023:22:14:15 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:22:14:16 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:22:14:17 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:22:14:18 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [05/Mar/2023:00:13:56 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"45.75.196.15 - - [05/Mar/2023:00:13:50 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [05/Mar/2023:00:13:51 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [05/Mar/2023:00:13:52 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [05/Mar/2023:00:13:53 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [07/Mar/2023:10:24:52 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"54.10.24.5 - - [07/Mar/2023:10:24:46 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [07/Mar/2023:10:24:47 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [07/Mar/2023:10:24:48 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [07/Mar/2023:10:24:49 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [02/Mar/2023:18:11:37 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"54.10.24.5 - - [02/Mar/2023:18:11:31 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [02/Mar/2023:18:11:32 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [02/Mar/2023:18:11:33 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [02/Mar/2023:18:11:34 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [03/Mar/2023:10:02:22 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"134.87.21.47 - - [03/Mar/2023:10:02:16 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:10:02:17 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:10:02:18 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:10:02:19 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [04/Mar/2023:16:10:03 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [04/Mar/2023:03:28:51 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"141.98.81.37 - - [04/Mar/2023:03:28:45 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:03:28:46 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:03:28:47 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:03:28:48 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [04/Mar/2023:18:23:45 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.124.37.241 - - [04/Mar/2023:18:23:39 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [04/Mar/2023:18:23:40 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [04/Mar/2023:18:23:41 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [04/Mar/2023:18:23:42 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [02/Mar/2023:17:30:05 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [06/Mar/2023:23:38:43 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [03/Mar/2023:00:46:25 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"54.10.24.5 - - [03/Mar/2023:00:46:19 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:00:46:20 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:00:46:21 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:00:46:22 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [07/Mar/2023:09:01:08 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"16.4.20.20 - - [07/Mar/2023:09:01:02 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:09:01:03 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:09:01:04 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:09:01:05 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [04/Mar/2023:13:50:58 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"141.98.81.37 - - [04/Mar/2023:13:50:52 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:13:50:53 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:13:50:54 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:13:50:55 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [04/Mar/2023:18:26:27 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [04/Mar/2023:18:26:21 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:18:26:22 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:18:26:23 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:18:26:24 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [06/Mar/2023:18:09:55 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"54.10.24.5 - - [06/Mar/2023:18:09:49 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [06/Mar/2023:18:09:50 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [06/Mar/2023:18:09:51 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [06/Mar/2023:18:09:52 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [01/Mar/2023:16:38:11 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [08/Mar/2023:03:20:42 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"40.220.102.15 - - [08/Mar/2023:03:20:36 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [08/Mar/2023:03:20:37 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [08/Mar/2023:03:20:38 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [08/Mar/2023:03:20:39 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [05/Mar/2023:14:31:08 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"134.87.21.47 - - [05/Mar/2023:14:31:02 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [05/Mar/2023:14:31:03 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [05/Mar/2023:14:31:04 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [05/Mar/2023:14:31:05 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [06/Mar/2023:22:14:29 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"134.87.21.47 - - [06/Mar/2023:22:14:23 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:22:14:24 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:22:14:25 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:22:14:26 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [01/Mar/2023:11:48:59 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"54.10.24.5 - - [01/Mar/2023:11:48:53 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n54.10.24.5 - - [01/Mar/2023:11:48:54 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n54.10.24.5 - - [01/Mar/2023:11:48:55 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n54.10.24.5 - - [01/Mar/2023:11:48:56 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [02/Mar/2023:07:49:52 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [04/Mar/2023:12:03:37 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.75.196.15 - - [08/Mar/2023:02:35:25 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"45.75.196.15 - - [08/Mar/2023:02:35:19 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [08/Mar/2023:02:35:20 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [08/Mar/2023:02:35:21 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [08/Mar/2023:02:35:22 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"134.87.21.47 - - [06/Mar/2023:17:45:35 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [04/Mar/2023:23:31:06 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"40.220.102.15 - - [04/Mar/2023:23:31:00 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:23:31:01 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:23:31:02 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:23:31:03 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [08/Mar/2023:07:35:06 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"45.75.196.15 - - [08/Mar/2023:07:35:00 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [08/Mar/2023:07:35:01 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [08/Mar/2023:07:35:02 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [08/Mar/2023:07:35:03 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [05/Mar/2023:21:53:32 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.75.196.15 - - [05/Mar/2023:21:53:26 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:21:53:27 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:21:53:28 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:21:53:29 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [04/Mar/2023:09:56:55 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"40.220.102.15 - - [02/Mar/2023:00:09:31 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"40.220.102.15 - - [02/Mar/2023:00:09:25 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:00:09:26 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:00:09:27 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:00:09:28 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [08/Mar/2023:08:32:10 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"54.10.24.5 - - [08/Mar/2023:08:32:04 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:08:32:05 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:08:32:06 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:08:32:07 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [02/Mar/2023:03:45:37 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [02/Mar/2023:11:47:43 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"40.220.102.15 - - [02/Mar/2023:11:47:37 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:11:47:38 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:11:47:39 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:11:47:40 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [03/Mar/2023:18:04:02 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"40.220.102.15 - - [03/Mar/2023:18:03:56 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [03/Mar/2023:18:03:57 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [03/Mar/2023:18:03:58 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [03/Mar/2023:18:03:59 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [04/Mar/2023:01:59:15 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"134.87.21.47 - - [04/Mar/2023:01:59:09 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [04/Mar/2023:01:59:10 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [04/Mar/2023:01:59:11 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [04/Mar/2023:01:59:12 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [01/Mar/2023:10:58:50 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [02/Mar/2023:07:39:52 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"45.124.37.241 - - [02/Mar/2023:07:39:46 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.124.37.241 - - [02/Mar/2023:07:39:47 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.124.37.241 - - [02/Mar/2023:07:39:48 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.124.37.241 - - [02/Mar/2023:07:39:49 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [03/Mar/2023:11:34:20 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [07/Mar/2023:03:03:23 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"16.4.20.20 - - [07/Mar/2023:03:03:17 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n16.4.20.20 - - [07/Mar/2023:03:03:18 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n16.4.20.20 - - [07/Mar/2023:03:03:19 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n16.4.20.20 - - [07/Mar/2023:03:03:20 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [01/Mar/2023:10:29:44 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [06/Mar/2023:07:48:46 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"45.124.37.241 - - [06/Mar/2023:07:48:40 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.124.37.241 - - [06/Mar/2023:07:48:41 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.124.37.241 - - [06/Mar/2023:07:48:42 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.124.37.241 - - [06/Mar/2023:07:48:43 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"141.98.81.37 - - [07/Mar/2023:09:34:50 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [04/Mar/2023:03:36:32 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [06/Mar/2023:04:39:34 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"134.87.21.47 - - [06/Mar/2023:04:39:28 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n134.87.21.47 - - [06/Mar/2023:04:39:29 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n134.87.21.47 - - [06/Mar/2023:04:39:30 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n134.87.21.47 - - [06/Mar/2023:04:39:31 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.124.37.241 - - [06/Mar/2023:14:41:29 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [06/Mar/2023:15:21:51 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [08/Mar/2023:03:58:13 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [07/Mar/2023:14:53:58 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"134.87.21.47 - - [07/Mar/2023:14:53:52 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n134.87.21.47 - - [07/Mar/2023:14:53:53 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n134.87.21.47 - - [07/Mar/2023:14:53:54 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n134.87.21.47 - - [07/Mar/2023:14:53:55 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [03/Mar/2023:16:34:18 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [03/Mar/2023:18:42:28 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"16.4.20.20 - - [03/Mar/2023:18:42:22 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:18:42:23 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:18:42:24 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:18:42:25 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [06/Mar/2023:23:27:47 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"187.80.4.18 - - [06/Mar/2023:23:27:41 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:23:27:42 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:23:27:43 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:23:27:44 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [03/Mar/2023:04:54:37 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [04/Mar/2023:01:55:45 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [07/Mar/2023:12:48:20 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [03/Mar/2023:05:05:29 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [07/Mar/2023:13:50:13 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [01/Mar/2023:10:12:56 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"134.87.21.47 - - [01/Mar/2023:10:12:50 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [01/Mar/2023:10:12:51 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [01/Mar/2023:10:12:52 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [01/Mar/2023:10:12:53 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"40.220.102.15 - - [06/Mar/2023:06:16:53 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [03/Mar/2023:05:40:01 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.124.37.241 - - [05/Mar/2023:01:52:05 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.124.37.241 - - [05/Mar/2023:01:51:59 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:01:52:00 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:01:52:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:01:52:02 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [01/Mar/2023:09:04:07 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"141.98.81.37 - - [01/Mar/2023:09:04:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n141.98.81.37 - - [01/Mar/2023:09:04:02 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n141.98.81.37 - - [01/Mar/2023:09:04:03 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n141.98.81.37 - - [01/Mar/2023:09:04:04 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [08/Mar/2023:08:17:35 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [03/Mar/2023:01:35:04 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [05/Mar/2023:20:50:41 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"54.10.24.5 - - [05/Mar/2023:20:50:35 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:20:50:36 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:20:50:37 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:20:50:38 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [04/Mar/2023:22:32:13 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"45.75.196.15 - - [04/Mar/2023:22:32:07 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:22:32:08 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:22:32:09 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:22:32:10 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [02/Mar/2023:04:24:52 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [03/Mar/2023:20:42:59 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [07/Mar/2023:16:45:20 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [03/Mar/2023:06:38:19 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [02/Mar/2023:06:41:21 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [03/Mar/2023:03:08:07 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"134.87.21.47 - - [03/Mar/2023:03:08:01 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [03/Mar/2023:03:08:02 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [03/Mar/2023:03:08:03 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [03/Mar/2023:03:08:04 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [06/Mar/2023:03:48:47 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"187.80.4.18 - - [06/Mar/2023:03:48:41 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:03:48:42 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:03:48:43 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:03:48:44 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [03/Mar/2023:08:39:44 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [02/Mar/2023:18:32:32 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [08/Mar/2023:00:24:32 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"16.4.20.20 - - [08/Mar/2023:00:24:26 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n16.4.20.20 - - [08/Mar/2023:00:24:27 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n16.4.20.20 - - [08/Mar/2023:00:24:28 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n16.4.20.20 - - [08/Mar/2023:00:24:29 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [07/Mar/2023:14:21:06 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"40.220.102.15 - - [07/Mar/2023:14:21:00 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:14:21:01 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:14:21:02 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:14:21:03 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [05/Mar/2023:22:33:34 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [03/Mar/2023:17:08:52 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [06/Mar/2023:14:21:38 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"141.98.81.37 - - [06/Mar/2023:14:21:32 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:14:21:33 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:14:21:34 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:14:21:35 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [08/Mar/2023:08:44:05 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [02/Mar/2023:07:41:21 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [04/Mar/2023:20:37:43 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [03/Mar/2023:23:27:38 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"45.75.196.15 - - [03/Mar/2023:23:27:32 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.75.196.15 - - [03/Mar/2023:23:27:33 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.75.196.15 - - [03/Mar/2023:23:27:34 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.75.196.15 - - [03/Mar/2023:23:27:35 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [07/Mar/2023:21:25:02 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"141.98.81.37 - - [07/Mar/2023:21:24:56 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [07/Mar/2023:21:24:57 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [07/Mar/2023:21:24:58 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [07/Mar/2023:21:24:59 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [06/Mar/2023:13:44:36 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [06/Mar/2023:11:39:14 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"134.87.21.47 - - [06/Mar/2023:11:39:08 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:11:39:09 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:11:39:10 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:11:39:11 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [06/Mar/2023:11:21:28 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [03/Mar/2023:05:09:28 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"134.87.21.47 - - [02/Mar/2023:12:01:38 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"134.87.21.47 - - [02/Mar/2023:12:01:32 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [02/Mar/2023:12:01:33 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [02/Mar/2023:12:01:34 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [02/Mar/2023:12:01:35 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [02/Mar/2023:19:02:58 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"","previous_output":"45.75.196.15 - - [02/Mar/2023:19:02:52 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n45.75.196.15 - - [02/Mar/2023:19:02:53 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n45.75.196.15 - - [02/Mar/2023:19:02:54 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n45.75.196.15 - - [02/Mar/2023:19:02:55 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [07/Mar/2023:02:49:45 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"134.87.21.47 - - [07/Mar/2023:02:49:39 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [07/Mar/2023:02:49:40 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [07/Mar/2023:02:49:41 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [07/Mar/2023:02:49:42 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [02/Mar/2023:15:25:07 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [01/Mar/2023:15:04:24 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [03/Mar/2023:13:11:58 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"134.87.21.47 - - [03/Mar/2023:13:11:52 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n134.87.21.47 - - [03/Mar/2023:13:11:53 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n134.87.21.47 - - [03/Mar/2023:13:11:54 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n134.87.21.47 - - [03/Mar/2023:13:11:55 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [03/Mar/2023:03:46:19 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"40.220.102.15 - - [03/Mar/2023:03:46:13 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:03:46:14 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:03:46:15 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:03:46:16 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [05/Mar/2023:00:00:27 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [07/Mar/2023:17:50:23 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"40.220.102.15 - - [07/Mar/2023:17:50:17 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [07/Mar/2023:17:50:18 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [07/Mar/2023:17:50:19 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [07/Mar/2023:17:50:20 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [02/Mar/2023:12:39:19 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [05/Mar/2023:02:15:36 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"40.220.102.15 - - [05/Mar/2023:02:15:30 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n40.220.102.15 - - [05/Mar/2023:02:15:31 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n40.220.102.15 - - [05/Mar/2023:02:15:32 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n40.220.102.15 - - [05/Mar/2023:02:15:33 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [03/Mar/2023:09:38:51 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"187.80.4.18 - - [03/Mar/2023:09:38:45 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:09:38:46 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:09:38:47 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:09:38:48 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [04/Mar/2023:08:03:17 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"45.75.196.15 - - [04/Mar/2023:08:03:11 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:08:03:12 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:08:03:13 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:08:03:14 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [07/Mar/2023:11:37:59 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"16.4.20.20 - - [07/Mar/2023:11:37:53 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n16.4.20.20 - - [07/Mar/2023:11:37:54 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n16.4.20.20 - - [07/Mar/2023:11:37:55 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n16.4.20.20 - - [07/Mar/2023:11:37:56 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [01/Mar/2023:14:12:41 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [01/Mar/2023:14:12:35 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [01/Mar/2023:14:12:36 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [01/Mar/2023:14:12:37 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [01/Mar/2023:14:12:38 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:02:29:17 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [05/Mar/2023:18:45:13 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [03/Mar/2023:00:58:53 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"134.87.21.47 - - [03/Mar/2023:00:58:47 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n134.87.21.47 - - [03/Mar/2023:00:58:48 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n134.87.21.47 - - [03/Mar/2023:00:58:49 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n134.87.21.47 - - [03/Mar/2023:00:58:50 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [06/Mar/2023:19:31:16 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"45.75.196.15 - - [06/Mar/2023:19:31:10 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n45.75.196.15 - - [06/Mar/2023:19:31:11 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n45.75.196.15 - - [06/Mar/2023:19:31:12 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n45.75.196.15 - - [06/Mar/2023:19:31:13 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [07/Mar/2023:17:40:26 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"187.80.4.18 - - [07/Mar/2023:17:40:20 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:17:40:21 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:17:40:22 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:17:40:23 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [04/Mar/2023:21:50:27 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"16.4.20.20 - - [04/Mar/2023:21:50:21 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:21:50:22 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:21:50:23 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:21:50:24 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [04/Mar/2023:02:25:33 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [05/Mar/2023:13:53:18 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [03/Mar/2023:22:17:57 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"54.10.24.5 - - [03/Mar/2023:22:17:51 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [03/Mar/2023:22:17:52 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [03/Mar/2023:22:17:53 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [03/Mar/2023:22:17:54 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [05/Mar/2023:14:49:27 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [07/Mar/2023:13:24:26 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [03/Mar/2023:22:12:11 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"40.220.102.15 - - [03/Mar/2023:22:12:05 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n40.220.102.15 - - [03/Mar/2023:22:12:06 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n40.220.102.15 - - [03/Mar/2023:22:12:07 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n40.220.102.15 - - [03/Mar/2023:22:12:08 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [02/Mar/2023:10:17:14 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"45.124.37.241 - - [02/Mar/2023:10:17:08 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [02/Mar/2023:10:17:09 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [02/Mar/2023:10:17:10 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [02/Mar/2023:10:17:11 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [04/Mar/2023:02:08:22 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"","previous_output":"141.98.81.37 - - [04/Mar/2023:02:08:16 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n141.98.81.37 - - [04/Mar/2023:02:08:17 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n141.98.81.37 - - [04/Mar/2023:02:08:18 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n141.98.81.37 - - [04/Mar/2023:02:08:19 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [06/Mar/2023:15:03:41 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [08/Mar/2023:02:00:37 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"16.4.20.20 - - [08/Mar/2023:02:00:31 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [08/Mar/2023:02:00:32 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [08/Mar/2023:02:00:33 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [08/Mar/2023:02:00:34 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [07/Mar/2023:04:32:18 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [07/Mar/2023:17:17:13 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [03/Mar/2023:09:04:04 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [03/Mar/2023:07:23:11 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [07/Mar/2023:15:28:22 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [02/Mar/2023:05:14:31 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [06/Mar/2023:13:43:33 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [03/Mar/2023:06:28:12 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"45.75.196.15 - - [03/Mar/2023:06:28:06 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [03/Mar/2023:06:28:07 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [03/Mar/2023:06:28:08 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [03/Mar/2023:06:28:09 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [01/Mar/2023:18:16:04 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"54.10.24.5 - - [01/Mar/2023:18:15:58 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [01/Mar/2023:18:15:59 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [01/Mar/2023:18:16:00 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [01/Mar/2023:18:16:01 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [05/Mar/2023:14:34:14 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"141.98.81.37 - - [05/Mar/2023:14:34:08 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [05/Mar/2023:14:34:09 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [05/Mar/2023:14:34:10 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [05/Mar/2023:14:34:11 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [03/Mar/2023:23:01:42 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [08/Mar/2023:07:53:54 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [02/Mar/2023:16:20:29 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [08/Mar/2023:06:30:57 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [05/Mar/2023:15:38:04 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [05/Mar/2023:04:39:34 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"187.80.4.18 - - [05/Mar/2023:04:39:28 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [05/Mar/2023:04:39:29 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [05/Mar/2023:04:39:30 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [05/Mar/2023:04:39:31 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [06/Mar/2023:18:54:01 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"16.4.20.20 - - [06/Mar/2023:18:53:55 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n16.4.20.20 - - [06/Mar/2023:18:53:56 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n16.4.20.20 - - [06/Mar/2023:18:53:57 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n16.4.20.20 - - [06/Mar/2023:18:53:58 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [03/Mar/2023:16:06:22 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [01/Mar/2023:20:44:46 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"141.98.81.37 - - [01/Mar/2023:20:44:40 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [01/Mar/2023:20:44:41 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [01/Mar/2023:20:44:42 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [01/Mar/2023:20:44:43 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [06/Mar/2023:15:23:55 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [05/Mar/2023:01:32:42 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"45.124.37.241 - - [05/Mar/2023:01:32:36 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:01:32:37 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:01:32:38 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:01:32:39 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [02/Mar/2023:16:54:17 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [05/Mar/2023:01:32:33 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [05/Mar/2023:11:42:37 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [08/Mar/2023:07:24:28 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"54.10.24.5 - - [08/Mar/2023:07:24:22 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:07:24:23 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:07:24:24 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [08/Mar/2023:07:24:25 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [02/Mar/2023:15:30:19 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [04/Mar/2023:17:16:07 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"16.4.20.20 - - [04/Mar/2023:17:16:01 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:17:16:02 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:17:16:03 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:17:16:04 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [03/Mar/2023:19:59:59 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [06/Mar/2023:02:25:32 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"45.124.37.241 - - [06/Mar/2023:02:25:26 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:02:25:27 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:02:25:28 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:02:25:29 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [06/Mar/2023:21:46:45 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"40.220.102.15 - - [01/Mar/2023:10:11:31 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"40.220.102.15 - - [01/Mar/2023:10:11:25 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [01/Mar/2023:10:11:26 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [01/Mar/2023:10:11:27 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [01/Mar/2023:10:11:28 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [02/Mar/2023:16:13:00 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"134.87.21.47 - - [04/Mar/2023:01:37:29 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [03/Mar/2023:18:05:46 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [06/Mar/2023:18:56:31 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"141.98.81.37 - - [06/Mar/2023:18:56:25 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:18:56:26 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:18:56:27 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:18:56:28 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [03/Mar/2023:17:01:14 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [06/Mar/2023:03:17:48 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"54.10.24.5 - - [06/Mar/2023:03:17:42 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n54.10.24.5 - - [06/Mar/2023:03:17:43 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n54.10.24.5 - - [06/Mar/2023:03:17:44 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n54.10.24.5 - - [06/Mar/2023:03:17:45 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [04/Mar/2023:20:39:33 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [04/Mar/2023:20:39:27 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:20:39:28 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:20:39:29 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:20:39:30 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [07/Mar/2023:02:15:57 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"16.4.20.20 - - [07/Mar/2023:02:15:51 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:02:15:52 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:02:15:53 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [07/Mar/2023:02:15:54 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [07/Mar/2023:00:43:24 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [06/Mar/2023:06:39:18 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [03/Mar/2023:04:46:52 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"16.4.20.20 - - [03/Mar/2023:04:46:46 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [03/Mar/2023:04:46:47 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [03/Mar/2023:04:46:48 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [03/Mar/2023:04:46:49 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.75.196.15 - - [06/Mar/2023:14:27:03 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"45.75.196.15 - - [06/Mar/2023:14:26:57 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [06/Mar/2023:14:26:58 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [06/Mar/2023:14:26:59 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [06/Mar/2023:14:27:00 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [04/Mar/2023:09:12:14 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"45.75.196.15 - - [04/Mar/2023:09:12:08 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:09:12:09 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:09:12:10 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:09:12:11 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [06/Mar/2023:19:42:57 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"45.75.196.15 - - [06/Mar/2023:19:42:51 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [06/Mar/2023:19:42:52 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [06/Mar/2023:19:42:53 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [06/Mar/2023:19:42:54 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [06/Mar/2023:12:25:50 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [08/Mar/2023:00:03:59 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [01/Mar/2023:23:16:51 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [05/Mar/2023:22:18:17 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [02/Mar/2023:09:22:55 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"141.98.81.37 - - [02/Mar/2023:09:22:49 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n141.98.81.37 - - [02/Mar/2023:09:22:50 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n141.98.81.37 - - [02/Mar/2023:09:22:51 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n141.98.81.37 - - [02/Mar/2023:09:22:52 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [04/Mar/2023:10:21:00 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"16.4.20.20 - - [04/Mar/2023:10:20:54 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [04/Mar/2023:10:20:55 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [04/Mar/2023:10:20:56 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [04/Mar/2023:10:20:57 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [02/Mar/2023:19:10:57 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"141.98.81.37 - - [02/Mar/2023:19:10:51 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [02/Mar/2023:19:10:52 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [02/Mar/2023:19:10:53 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [02/Mar/2023:19:10:54 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [05/Mar/2023:07:13:34 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [05/Mar/2023:08:48:17 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"187.80.4.18 - - [05/Mar/2023:08:48:11 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:08:48:12 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:08:48:13 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:08:48:14 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [04/Mar/2023:20:02:58 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [04/Mar/2023:13:01:54 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [04/Mar/2023:12:43:41 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"45.75.196.15 - - [04/Mar/2023:12:43:35 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [04/Mar/2023:12:43:36 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [04/Mar/2023:12:43:37 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [04/Mar/2023:12:43:38 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"141.98.81.37 - - [06/Mar/2023:01:22:12 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [06/Mar/2023:09:00:58 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [05/Mar/2023:23:17:35 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [02/Mar/2023:21:53:49 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"54.10.24.5 - - [02/Mar/2023:21:53:43 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [02/Mar/2023:21:53:44 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [02/Mar/2023:21:53:45 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [02/Mar/2023:21:53:46 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [05/Mar/2023:13:40:35 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [05/Mar/2023:06:58:40 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [05/Mar/2023:10:48:29 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"134.87.21.47 - - [06/Mar/2023:00:41:17 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [04/Mar/2023:08:30:28 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [01/Mar/2023:11:06:21 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"40.220.102.15 - - [01/Mar/2023:11:06:15 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n40.220.102.15 - - [01/Mar/2023:11:06:16 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n40.220.102.15 - - [01/Mar/2023:11:06:17 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n40.220.102.15 - - [01/Mar/2023:11:06:18 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [03/Mar/2023:12:17:34 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.75.196.15 - - [05/Mar/2023:15:27:17 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"45.75.196.15 - - [05/Mar/2023:15:27:11 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:15:27:12 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:15:27:13 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:15:27:14 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [01/Mar/2023:19:01:28 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"45.124.37.241 - - [01/Mar/2023:19:01:22 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [01/Mar/2023:19:01:23 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [01/Mar/2023:19:01:24 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [01/Mar/2023:19:01:25 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [04/Mar/2023:22:19:04 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [03/Mar/2023:06:09:44 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"134.87.21.47 - - [03/Mar/2023:06:09:38 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:06:09:39 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:06:09:40 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:06:09:41 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [04/Mar/2023:04:25:17 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [05/Mar/2023:09:41:05 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [07/Mar/2023:09:11:24 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [08/Mar/2023:05:21:47 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [05/Mar/2023:10:46:20 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"187.80.4.18 - - [05/Mar/2023:10:46:14 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [05/Mar/2023:10:46:15 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [05/Mar/2023:10:46:16 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [05/Mar/2023:10:46:17 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [02/Mar/2023:21:03:20 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"45.124.37.241 - - [02/Mar/2023:21:03:14 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n45.124.37.241 - - [02/Mar/2023:21:03:15 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n45.124.37.241 - - [02/Mar/2023:21:03:16 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n45.124.37.241 - - [02/Mar/2023:21:03:17 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [01/Mar/2023:19:41:25 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [06/Mar/2023:09:37:56 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [05/Mar/2023:12:28:26 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"16.4.20.20 - - [05/Mar/2023:12:28:20 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [05/Mar/2023:12:28:21 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [05/Mar/2023:12:28:22 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [05/Mar/2023:12:28:23 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [02/Mar/2023:01:44:54 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [02/Mar/2023:15:48:47 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [05/Mar/2023:18:49:42 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"134.87.21.47 - - [05/Mar/2023:18:49:36 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n134.87.21.47 - - [05/Mar/2023:18:49:37 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n134.87.21.47 - - [05/Mar/2023:18:49:38 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n134.87.21.47 - - [05/Mar/2023:18:49:39 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [08/Mar/2023:04:43:32 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"54.10.24.5 - - [08/Mar/2023:04:43:26 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [08/Mar/2023:04:43:27 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [08/Mar/2023:04:43:28 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [08/Mar/2023:04:43:29 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [06/Mar/2023:19:14:12 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"187.80.4.18 - - [06/Mar/2023:19:14:06 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [06/Mar/2023:19:14:07 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [06/Mar/2023:19:14:08 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n187.80.4.18 - - [06/Mar/2023:19:14:09 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [07/Mar/2023:23:07:19 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [04/Mar/2023:22:27:29 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"54.10.24.5 - - [04/Mar/2023:22:27:23 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [04/Mar/2023:22:27:24 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [04/Mar/2023:22:27:25 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [04/Mar/2023:22:27:26 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [05/Mar/2023:04:23:37 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"45.75.196.15 - - [05/Mar/2023:04:23:31 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:04:23:32 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:04:23:33 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:04:23:34 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [05/Mar/2023:21:54:14 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"187.80.4.18 - - [05/Mar/2023:21:54:08 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n187.80.4.18 - - [05/Mar/2023:21:54:09 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n187.80.4.18 - - [05/Mar/2023:21:54:10 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n187.80.4.18 - - [05/Mar/2023:21:54:11 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [04/Mar/2023:18:52:18 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [04/Mar/2023:20:23:42 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [05/Mar/2023:10:30:55 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [04/Mar/2023:03:04:06 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"134.87.21.47 - - [04/Mar/2023:03:04:00 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:03:04:01 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:03:04:02 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:03:04:03 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [07/Mar/2023:21:34:10 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"134.87.21.47 - - [01/Mar/2023:14:30:47 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"134.87.21.47 - - [01/Mar/2023:14:30:41 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [01/Mar/2023:14:30:42 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [01/Mar/2023:14:30:43 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [01/Mar/2023:14:30:44 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [03/Mar/2023:00:43:44 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [04/Mar/2023:23:56:23 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"54.10.24.5 - - [04/Mar/2023:23:56:17 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n54.10.24.5 - - [04/Mar/2023:23:56:18 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n54.10.24.5 - - [04/Mar/2023:23:56:19 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n54.10.24.5 - - [04/Mar/2023:23:56:20 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [08/Mar/2023:01:32:32 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [02/Mar/2023:04:43:14 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"45.124.37.241 - - [02/Mar/2023:04:43:08 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [02/Mar/2023:04:43:09 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [02/Mar/2023:04:43:10 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.124.37.241 - - [02/Mar/2023:04:43:11 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [04/Mar/2023:00:37:07 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [07/Mar/2023:23:59:02 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"134.87.21.47 - - [07/Mar/2023:23:58:56 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:23:58:57 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:23:58:58 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:23:58:59 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [07/Mar/2023:12:51:12 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [05/Mar/2023:13:25:18 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [02/Mar/2023:04:24:18 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [03/Mar/2023:21:09:24 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [01/Mar/2023:09:27:04 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [03/Mar/2023:12:51:49 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [03/Mar/2023:11:35:03 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"","previous_output":"187.80.4.18 - - [03/Mar/2023:11:34:57 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n187.80.4.18 - - [03/Mar/2023:11:34:58 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n187.80.4.18 - - [03/Mar/2023:11:34:59 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n187.80.4.18 - - [03/Mar/2023:11:35:00 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [05/Mar/2023:00:39:34 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.124.37.241 - - [07/Mar/2023:08:42:31 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"45.124.37.241 - - [07/Mar/2023:08:42:25 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:08:42:26 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:08:42:27 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:08:42:28 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [01/Mar/2023:22:07:57 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"134.87.21.47 - - [01/Mar/2023:22:07:51 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [01/Mar/2023:22:07:52 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [01/Mar/2023:22:07:53 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [01/Mar/2023:22:07:54 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [03/Mar/2023:12:17:09 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [07/Mar/2023:14:46:48 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [03/Mar/2023:09:06:32 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"54.10.24.5 - - [03/Mar/2023:09:06:26 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [03/Mar/2023:09:06:27 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [03/Mar/2023:09:06:28 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [03/Mar/2023:09:06:29 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [05/Mar/2023:03:36:55 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [07/Mar/2023:15:27:36 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [02/Mar/2023:07:55:19 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [06/Mar/2023:02:56:22 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [05/Mar/2023:08:03:18 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [04/Mar/2023:15:39:26 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"16.4.20.20 - - [04/Mar/2023:15:39:20 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [04/Mar/2023:15:39:21 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [04/Mar/2023:15:39:22 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [04/Mar/2023:15:39:23 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [08/Mar/2023:08:11:12 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"54.10.24.5 - - [08/Mar/2023:08:11:06 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [08/Mar/2023:08:11:07 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [08/Mar/2023:08:11:08 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [08/Mar/2023:08:11:09 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [02/Mar/2023:22:08:09 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [08/Mar/2023:02:40:43 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [01/Mar/2023:20:35:14 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [07/Mar/2023:12:33:26 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [03/Mar/2023:05:48:47 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"187.80.4.18 - - [03/Mar/2023:05:48:41 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:05:48:42 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:05:48:43 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:05:48:44 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [02/Mar/2023:05:30:58 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [07/Mar/2023:14:11:57 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"54.10.24.5 - - [07/Mar/2023:14:11:51 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [07/Mar/2023:14:11:52 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [07/Mar/2023:14:11:53 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [07/Mar/2023:14:11:54 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [06/Mar/2023:08:19:50 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [06/Mar/2023:08:02:47 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"45.124.37.241 - - [06/Mar/2023:08:02:41 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:08:02:42 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:08:02:43 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n45.124.37.241 - - [06/Mar/2023:08:02:44 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [07/Mar/2023:15:38:38 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"134.87.21.47 - - [07/Mar/2023:15:38:32 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:15:38:33 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:15:38:34 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:15:38:35 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [02/Mar/2023:07:21:09 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"45.75.196.15 - - [02/Mar/2023:07:21:03 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [02/Mar/2023:07:21:04 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [02/Mar/2023:07:21:05 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [02/Mar/2023:07:21:06 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [06/Mar/2023:02:33:03 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [06/Mar/2023:06:03:00 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [03/Mar/2023:18:41:20 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [08/Mar/2023:04:38:11 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [01/Mar/2023:22:11:23 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [03/Mar/2023:23:44:55 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"40.220.102.15 - - [03/Mar/2023:23:44:49 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:23:44:50 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:23:44:51 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:23:44:52 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [05/Mar/2023:18:50:05 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"","previous_output":"16.4.20.20 - - [05/Mar/2023:18:49:59 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n16.4.20.20 - - [05/Mar/2023:18:50:00 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n16.4.20.20 - - [05/Mar/2023:18:50:01 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n16.4.20.20 - - [05/Mar/2023:18:50:02 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [01/Mar/2023:19:02:10 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"40.220.102.15 - - [01/Mar/2023:19:02:04 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [01/Mar/2023:19:02:05 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [01/Mar/2023:19:02:06 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [01/Mar/2023:19:02:07 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [06/Mar/2023:22:15:52 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [03/Mar/2023:07:16:54 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.124.37.241 - - [07/Mar/2023:19:58:01 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"45.124.37.241 - - [07/Mar/2023:19:57:55 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:19:57:56 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:19:57:57 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:19:57:58 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [05/Mar/2023:15:45:53 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"45.124.37.241 - - [05/Mar/2023:15:45:47 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n45.124.37.241 - - [05/Mar/2023:15:45:48 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n45.124.37.241 - - [05/Mar/2023:15:45:49 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n45.124.37.241 - - [05/Mar/2023:15:45:50 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [05/Mar/2023:18:34:02 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"141.98.81.37 - - [05/Mar/2023:18:33:56 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [05/Mar/2023:18:33:57 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [05/Mar/2023:18:33:58 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [05/Mar/2023:18:33:59 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"40.220.102.15 - - [07/Mar/2023:21:34:29 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"40.220.102.15 - - [07/Mar/2023:21:34:23 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n40.220.102.15 - - [07/Mar/2023:21:34:24 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n40.220.102.15 - - [07/Mar/2023:21:34:25 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n40.220.102.15 - - [07/Mar/2023:21:34:26 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [02/Mar/2023:12:12:53 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [01/Mar/2023:11:33:32 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"45.75.196.15 - - [01/Mar/2023:11:33:26 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [01/Mar/2023:11:33:27 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [01/Mar/2023:11:33:28 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.75.196.15 - - [01/Mar/2023:11:33:29 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [02/Mar/2023:09:51:17 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"16.4.20.20 - - [02/Mar/2023:09:51:11 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [02/Mar/2023:09:51:12 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [02/Mar/2023:09:51:13 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [02/Mar/2023:09:51:14 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [03/Mar/2023:19:22:59 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [01/Mar/2023:15:15:08 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"134.87.21.47 - - [01/Mar/2023:15:15:02 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [01/Mar/2023:15:15:03 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [01/Mar/2023:15:15:04 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [01/Mar/2023:15:15:05 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [05/Mar/2023:20:24:57 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [04/Mar/2023:12:55:59 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [04/Mar/2023:12:36:59 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [08/Mar/2023:07:56:12 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"141.98.81.37 - - [08/Mar/2023:07:56:06 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n141.98.81.37 - - [08/Mar/2023:07:56:07 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n141.98.81.37 - - [08/Mar/2023:07:56:08 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n141.98.81.37 - - [08/Mar/2023:07:56:09 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [05/Mar/2023:03:00:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"45.75.196.15 - - [05/Mar/2023:02:59:55 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [05/Mar/2023:02:59:56 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [05/Mar/2023:02:59:57 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [05/Mar/2023:02:59:58 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [08/Mar/2023:02:52:04 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"40.220.102.15 - - [08/Mar/2023:02:51:58 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [08/Mar/2023:02:51:59 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [08/Mar/2023:02:52:00 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [08/Mar/2023:02:52:01 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [04/Mar/2023:11:15:33 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"16.4.20.20 - - [04/Mar/2023:11:15:27 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [04/Mar/2023:11:15:28 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [04/Mar/2023:11:15:29 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n16.4.20.20 - - [04/Mar/2023:11:15:30 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [05/Mar/2023:08:40:48 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [03/Mar/2023:08:28:32 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"40.220.102.15 - - [03/Mar/2023:08:28:26 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n40.220.102.15 - - [03/Mar/2023:08:28:27 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n40.220.102.15 - - [03/Mar/2023:08:28:28 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n40.220.102.15 - - [03/Mar/2023:08:28:29 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [05/Mar/2023:10:48:47 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"141.98.81.37 - - [05/Mar/2023:10:48:41 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [05/Mar/2023:10:48:42 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [05/Mar/2023:10:48:43 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [05/Mar/2023:10:48:44 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [05/Mar/2023:21:20:07 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [06/Mar/2023:13:27:37 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [03/Mar/2023:15:27:25 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [07/Mar/2023:23:46:33 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"141.98.81.37 - - [07/Mar/2023:23:46:27 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n141.98.81.37 - - [07/Mar/2023:23:46:28 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n141.98.81.37 - - [07/Mar/2023:23:46:29 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n141.98.81.37 - - [07/Mar/2023:23:46:30 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [02/Mar/2023:07:32:10 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [01/Mar/2023:15:35:19 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [05/Mar/2023:02:08:34 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"40.220.102.15 - - [05/Mar/2023:02:08:28 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [05/Mar/2023:02:08:29 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [05/Mar/2023:02:08:30 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [05/Mar/2023:02:08:31 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [07/Mar/2023:19:18:19 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"187.80.4.18 - - [07/Mar/2023:19:18:13 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:19:18:14 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:19:18:15 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:19:18:16 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [02/Mar/2023:23:22:06 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [05/Mar/2023:17:21:28 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"134.87.21.47 - - [05/Mar/2023:17:21:22 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n134.87.21.47 - - [05/Mar/2023:17:21:23 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n134.87.21.47 - - [05/Mar/2023:17:21:24 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n134.87.21.47 - - [05/Mar/2023:17:21:25 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"134.87.21.47 - - [08/Mar/2023:00:54:35 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"134.87.21.47 - - [08/Mar/2023:00:54:29 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [08/Mar/2023:00:54:30 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [08/Mar/2023:00:54:31 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [08/Mar/2023:00:54:32 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [08/Mar/2023:02:49:39 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:22:12:25 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"134.87.21.47 - - [06/Mar/2023:22:12:19 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:22:12:20 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:22:12:21 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:22:12:22 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [06/Mar/2023:16:05:18 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [04/Mar/2023:12:27:16 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [06/Mar/2023:16:27:28 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [05/Mar/2023:23:16:33 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [07/Mar/2023:17:02:55 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"54.10.24.5 - - [07/Mar/2023:17:02:49 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:17:02:50 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:17:02:51 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:17:02:52 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [06/Mar/2023:04:33:04 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"54.10.24.5 - - [06/Mar/2023:04:32:58 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [06/Mar/2023:04:32:59 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [06/Mar/2023:04:33:00 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [06/Mar/2023:04:33:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [03/Mar/2023:08:20:15 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"187.80.4.18 - - [03/Mar/2023:08:20:09 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [03/Mar/2023:08:20:10 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [03/Mar/2023:08:20:11 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [03/Mar/2023:08:20:12 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [07/Mar/2023:00:07:53 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [01/Mar/2023:20:50:16 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [04/Mar/2023:01:55:20 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"16.4.20.20 - - [04/Mar/2023:01:55:14 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [04/Mar/2023:01:55:15 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [04/Mar/2023:01:55:16 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n16.4.20.20 - - [04/Mar/2023:01:55:17 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [04/Mar/2023:17:09:26 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"141.98.81.37 - - [04/Mar/2023:17:09:20 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:17:09:21 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:17:09:22 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n141.98.81.37 - - [04/Mar/2023:17:09:23 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [04/Mar/2023:10:20:09 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.75.196.15 - - [06/Mar/2023:16:44:47 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [02/Mar/2023:16:13:36 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"141.98.81.37 - - [02/Mar/2023:16:13:30 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [02/Mar/2023:16:13:31 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [02/Mar/2023:16:13:32 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [02/Mar/2023:16:13:33 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"141.98.81.37 - - [08/Mar/2023:07:22:32 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [04/Mar/2023:08:42:58 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [04/Mar/2023:11:04:50 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"40.220.102.15 - - [04/Mar/2023:11:04:44 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:11:04:45 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:11:04:46 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:11:04:47 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [05/Mar/2023:23:39:49 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"45.124.37.241 - - [05/Mar/2023:23:39:43 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n45.124.37.241 - - [05/Mar/2023:23:39:44 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n45.124.37.241 - - [05/Mar/2023:23:39:45 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n45.124.37.241 - - [05/Mar/2023:23:39:46 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [07/Mar/2023:00:46:53 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [04/Mar/2023:13:53:28 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"45.75.196.15 - - [04/Mar/2023:13:53:22 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:13:53:23 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:13:53:24 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:13:53:25 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [07/Mar/2023:07:06:37 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"54.10.24.5 - - [07/Mar/2023:07:06:31 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [07/Mar/2023:07:06:32 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [07/Mar/2023:07:06:33 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [07/Mar/2023:07:06:34 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [02/Mar/2023:01:51:58 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"141.98.81.37 - - [02/Mar/2023:01:51:52 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [02/Mar/2023:01:51:53 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [02/Mar/2023:01:51:54 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [02/Mar/2023:01:51:55 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [03/Mar/2023:23:01:06 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"16.4.20.20 - - [03/Mar/2023:23:01:00 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n16.4.20.20 - - [03/Mar/2023:23:01:01 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n16.4.20.20 - - [03/Mar/2023:23:01:02 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n16.4.20.20 - - [03/Mar/2023:23:01:03 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [02/Mar/2023:05:41:12 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"40.220.102.15 - - [02/Mar/2023:05:41:06 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:05:41:07 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:05:41:08 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:05:41:09 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"40.220.102.15 - - [05/Mar/2023:07:49:05 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [05/Mar/2023:01:34:39 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"45.75.196.15 - - [05/Mar/2023:01:34:33 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:01:34:34 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:01:34:35 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:01:34:36 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [01/Mar/2023:22:06:45 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"40.220.102.15 - - [01/Mar/2023:22:06:39 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [01/Mar/2023:22:06:40 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [01/Mar/2023:22:06:41 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [01/Mar/2023:22:06:42 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [04/Mar/2023:01:34:06 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [02/Mar/2023:11:02:41 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [01/Mar/2023:21:13:50 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"54.10.24.5 - - [01/Mar/2023:21:13:44 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [01/Mar/2023:21:13:45 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [01/Mar/2023:21:13:46 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [01/Mar/2023:21:13:47 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [08/Mar/2023:07:01:59 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [08/Mar/2023:05:07:48 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [04/Mar/2023:11:51:02 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [01/Mar/2023:09:56:09 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"141.98.81.37 - - [01/Mar/2023:09:56:03 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n141.98.81.37 - - [01/Mar/2023:09:56:04 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n141.98.81.37 - - [01/Mar/2023:09:56:05 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n141.98.81.37 - - [01/Mar/2023:09:56:06 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [03/Mar/2023:18:26:05 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [02/Mar/2023:14:52:57 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [05/Mar/2023:10:52:58 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [04/Mar/2023:16:18:25 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"16.4.20.20 - - [04/Mar/2023:16:18:19 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n16.4.20.20 - - [04/Mar/2023:16:18:20 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n16.4.20.20 - - [04/Mar/2023:16:18:21 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n16.4.20.20 - - [04/Mar/2023:16:18:22 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [07/Mar/2023:22:24:59 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [07/Mar/2023:22:24:53 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:22:24:54 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:22:24:55 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:22:24:56 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [06/Mar/2023:02:12:35 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"141.98.81.37 - - [06/Mar/2023:02:12:29 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:02:12:30 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:02:12:31 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:02:12:32 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [02/Mar/2023:04:32:07 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [02/Mar/2023:18:10:39 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [03/Mar/2023:13:25:51 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"141.98.81.37 - - [03/Mar/2023:13:25:45 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [03/Mar/2023:13:25:46 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [03/Mar/2023:13:25:47 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [03/Mar/2023:13:25:48 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [06/Mar/2023:12:02:14 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"187.80.4.18 - - [06/Mar/2023:12:02:08 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:12:02:09 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:12:02:10 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:12:02:11 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [05/Mar/2023:22:45:46 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"134.87.21.47 - - [05/Mar/2023:22:45:40 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n134.87.21.47 - - [05/Mar/2023:22:45:41 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n134.87.21.47 - - [05/Mar/2023:22:45:42 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n134.87.21.47 - - [05/Mar/2023:22:45:43 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [02/Mar/2023:17:32:22 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"134.87.21.47 - - [04/Mar/2023:23:04:22 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [05/Mar/2023:22:01:05 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [03/Mar/2023:00:13:59 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"134.87.21.47 - - [03/Mar/2023:00:13:53 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n134.87.21.47 - - [03/Mar/2023:00:13:54 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n134.87.21.47 - - [03/Mar/2023:00:13:55 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n134.87.21.47 - - [03/Mar/2023:00:13:56 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [07/Mar/2023:14:38:53 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"54.10.24.5 - - [07/Mar/2023:14:38:47 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [07/Mar/2023:14:38:48 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [07/Mar/2023:14:38:49 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [07/Mar/2023:14:38:50 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [04/Mar/2023:02:55:34 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"16.4.20.20 - - [04/Mar/2023:02:55:28 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [04/Mar/2023:02:55:29 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [04/Mar/2023:02:55:30 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [04/Mar/2023:02:55:31 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [01/Mar/2023:15:53:25 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"45.75.196.15 - - [01/Mar/2023:15:53:19 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [01/Mar/2023:15:53:20 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [01/Mar/2023:15:53:21 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n45.75.196.15 - - [01/Mar/2023:15:53:22 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [06/Mar/2023:17:01:56 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [06/Mar/2023:12:29:57 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [06/Mar/2023:12:29:51 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:12:29:52 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:12:29:53 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:12:29:54 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [05/Mar/2023:12:16:54 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"54.10.24.5 - - [05/Mar/2023:12:16:48 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:12:16:49 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:12:16:50 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:12:16:51 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [01/Mar/2023:14:14:24 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"187.80.4.18 - - [01/Mar/2023:14:14:18 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:14:14:19 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:14:14:20 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:14:14:21 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [03/Mar/2023:16:04:10 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [05/Mar/2023:18:20:07 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"16.4.20.20 - - [05/Mar/2023:18:20:01 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [05/Mar/2023:18:20:02 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [05/Mar/2023:18:20:03 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [05/Mar/2023:18:20:04 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [04/Mar/2023:10:44:20 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"54.10.24.5 - - [04/Mar/2023:10:44:14 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [04/Mar/2023:10:44:15 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [04/Mar/2023:10:44:16 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n54.10.24.5 - - [04/Mar/2023:10:44:17 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [07/Mar/2023:19:20:42 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [03/Mar/2023:14:57:35 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [05/Mar/2023:10:35:19 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"40.220.102.15 - - [05/Mar/2023:10:35:13 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n40.220.102.15 - - [05/Mar/2023:10:35:14 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n40.220.102.15 - - [05/Mar/2023:10:35:15 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n40.220.102.15 - - [05/Mar/2023:10:35:16 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [07/Mar/2023:01:41:33 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"134.87.21.47 - - [07/Mar/2023:01:41:27 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:01:41:28 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:01:41:29 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [07/Mar/2023:01:41:30 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"40.220.102.15 - - [06/Mar/2023:06:46:03 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [06/Mar/2023:17:09:17 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"141.98.81.37 - - [06/Mar/2023:17:09:11 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n141.98.81.37 - - [06/Mar/2023:17:09:12 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n141.98.81.37 - - [06/Mar/2023:17:09:13 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n141.98.81.37 - - [06/Mar/2023:17:09:14 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [04/Mar/2023:17:26:24 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"","previous_output":"40.220.102.15 - - [04/Mar/2023:17:26:18 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n40.220.102.15 - - [04/Mar/2023:17:26:19 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n40.220.102.15 - - [04/Mar/2023:17:26:20 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\n40.220.102.15 - - [04/Mar/2023:17:26:21 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [03/Mar/2023:02:15:46 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [02/Mar/2023:09:15:11 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [02/Mar/2023:09:59:11 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [05/Mar/2023:10:49:44 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [04/Mar/2023:22:47:28 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [07/Mar/2023:10:46:33 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"40.220.102.15 - - [07/Mar/2023:10:46:27 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n40.220.102.15 - - [07/Mar/2023:10:46:28 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n40.220.102.15 - - [07/Mar/2023:10:46:29 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n40.220.102.15 - - [07/Mar/2023:10:46:30 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [01/Mar/2023:10:24:43 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [07/Mar/2023:14:18:08 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"45.75.196.15 - - [07/Mar/2023:14:18:02 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:14:18:03 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:14:18:04 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:14:18:05 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.75.196.15 - - [03/Mar/2023:23:11:03 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"45.75.196.15 - - [03/Mar/2023:23:10:57 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:23:10:58 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:23:10:59 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:23:11:00 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [04/Mar/2023:07:26:35 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"45.75.196.15 - - [04/Mar/2023:07:26:29 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [04/Mar/2023:07:26:30 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [04/Mar/2023:07:26:31 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [04/Mar/2023:07:26:32 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [03/Mar/2023:06:26:52 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [04/Mar/2023:08:46:37 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [05/Mar/2023:17:52:25 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"40.220.102.15 - - [05/Mar/2023:17:52:19 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n40.220.102.15 - - [05/Mar/2023:17:52:20 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n40.220.102.15 - - [05/Mar/2023:17:52:21 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n40.220.102.15 - - [05/Mar/2023:17:52:22 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [06/Mar/2023:23:29:59 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.75.196.15 - - [06/Mar/2023:23:29:53 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:23:29:54 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:23:29:55 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:23:29:56 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [05/Mar/2023:06:49:27 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [04/Mar/2023:04:00:19 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"45.75.196.15 - - [04/Mar/2023:04:00:13 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [04/Mar/2023:04:00:14 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [04/Mar/2023:04:00:15 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [04/Mar/2023:04:00:16 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [04/Mar/2023:17:07:41 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [01/Mar/2023:18:13:46 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [08/Mar/2023:01:41:36 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"134.87.21.47 - - [08/Mar/2023:01:41:30 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [08/Mar/2023:01:41:31 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [08/Mar/2023:01:41:32 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [08/Mar/2023:01:41:33 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [06/Mar/2023:11:47:35 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [06/Mar/2023:04:28:22 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [08/Mar/2023:07:02:03 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [01/Mar/2023:16:42:00 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"40.220.102.15 - - [01/Mar/2023:16:41:54 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [01/Mar/2023:16:41:55 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [01/Mar/2023:16:41:56 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n40.220.102.15 - - [01/Mar/2023:16:41:57 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [08/Mar/2023:03:03:47 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"54.10.24.5 - - [08/Mar/2023:03:03:41 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [08/Mar/2023:03:03:42 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [08/Mar/2023:03:03:43 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [08/Mar/2023:03:03:44 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [02/Mar/2023:01:48:18 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [05/Mar/2023:20:46:35 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [02/Mar/2023:13:19:33 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.124.37.241 - - [02/Mar/2023:13:19:27 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:13:19:28 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:13:19:29 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:13:19:30 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [04/Mar/2023:03:17:58 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [04/Mar/2023:18:18:48 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"134.87.21.47 - - [04/Mar/2023:18:18:42 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [04/Mar/2023:18:18:43 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [04/Mar/2023:18:18:44 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [04/Mar/2023:18:18:45 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [05/Mar/2023:21:42:00 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"187.80.4.18 - - [05/Mar/2023:21:41:54 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [05/Mar/2023:21:41:55 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [05/Mar/2023:21:41:56 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [05/Mar/2023:21:41:57 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:22:55:05 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"134.87.21.47 - - [06/Mar/2023:22:54:59 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [06/Mar/2023:22:55:00 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [06/Mar/2023:22:55:01 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n134.87.21.47 - - [06/Mar/2023:22:55:02 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [06/Mar/2023:17:25:46 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"54.10.24.5 - - [06/Mar/2023:17:25:40 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [06/Mar/2023:17:25:41 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [06/Mar/2023:17:25:42 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [06/Mar/2023:17:25:43 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [02/Mar/2023:06:24:39 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [03/Mar/2023:16:56:59 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"141.98.81.37 - - [03/Mar/2023:16:56:53 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [03/Mar/2023:16:56:54 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [03/Mar/2023:16:56:55 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [03/Mar/2023:16:56:56 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [04/Mar/2023:09:54:57 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"45.124.37.241 - - [04/Mar/2023:09:54:51 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [04/Mar/2023:09:54:52 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [04/Mar/2023:09:54:53 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [04/Mar/2023:09:54:54 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [05/Mar/2023:06:34:39 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [04/Mar/2023:01:32:25 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"141.98.81.37 - - [04/Mar/2023:01:32:19 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n141.98.81.37 - - [04/Mar/2023:01:32:20 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n141.98.81.37 - - [04/Mar/2023:01:32:21 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n141.98.81.37 - - [04/Mar/2023:01:32:22 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [05/Mar/2023:18:45:25 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"54.10.24.5 - - [05/Mar/2023:18:45:19 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [05/Mar/2023:18:45:20 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [05/Mar/2023:18:45:21 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n54.10.24.5 - - [05/Mar/2023:18:45:22 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [04/Mar/2023:15:59:19 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"134.87.21.47 - - [03/Mar/2023:02:39:38 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [03/Mar/2023:11:20:34 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [02/Mar/2023:01:20:09 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"187.80.4.18 - - [02/Mar/2023:01:20:03 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [02/Mar/2023:01:20:04 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [02/Mar/2023:01:20:05 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [02/Mar/2023:01:20:06 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [05/Mar/2023:22:53:30 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"45.124.37.241 - - [05/Mar/2023:22:53:24 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:22:53:25 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:22:53:26 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:22:53:27 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [05/Mar/2023:10:45:11 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [07/Mar/2023:17:32:15 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [04/Mar/2023:01:30:45 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [07/Mar/2023:19:14:33 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"45.124.37.241 - - [07/Mar/2023:19:14:27 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [07/Mar/2023:19:14:28 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [07/Mar/2023:19:14:29 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.124.37.241 - - [07/Mar/2023:19:14:30 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [06/Mar/2023:07:08:20 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [05/Mar/2023:12:36:26 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [01/Mar/2023:22:15:53 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [06/Mar/2023:07:30:34 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"40.220.102.15 - - [05/Mar/2023:21:55:46 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [05/Mar/2023:09:39:04 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [05/Mar/2023:10:29:47 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"54.10.24.5 - - [05/Mar/2023:10:29:41 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n54.10.24.5 - - [05/Mar/2023:10:29:42 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n54.10.24.5 - - [05/Mar/2023:10:29:43 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n54.10.24.5 - - [05/Mar/2023:10:29:44 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [03/Mar/2023:07:18:37 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [07/Mar/2023:13:04:47 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [06/Mar/2023:02:02:49 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"187.80.4.18 - - [06/Mar/2023:02:02:43 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:02:02:44 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:02:02:45 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:02:02:46 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [03/Mar/2023:22:17:09 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [01/Mar/2023:10:32:44 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.124.37.241 - - [04/Mar/2023:04:31:41 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"45.124.37.241 - - [04/Mar/2023:04:31:35 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.124.37.241 - - [04/Mar/2023:04:31:36 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.124.37.241 - - [04/Mar/2023:04:31:37 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.124.37.241 - - [04/Mar/2023:04:31:38 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [08/Mar/2023:03:45:10 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [07/Mar/2023:05:42:42 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:16:52:46 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [03/Mar/2023:17:25:28 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"45.124.37.241 - - [03/Mar/2023:17:25:22 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.124.37.241 - - [03/Mar/2023:17:25:23 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.124.37.241 - - [03/Mar/2023:17:25:24 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n45.124.37.241 - - [03/Mar/2023:17:25:25 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [06/Mar/2023:20:15:05 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [07/Mar/2023:12:40:08 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.124.37.241 - - [07/Mar/2023:22:01:59 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [05/Mar/2023:22:02:56 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [07/Mar/2023:09:14:26 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"141.98.81.37 - - [07/Mar/2023:09:14:20 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [07/Mar/2023:09:14:21 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [07/Mar/2023:09:14:22 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n141.98.81.37 - - [07/Mar/2023:09:14:23 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [05/Mar/2023:15:51:34 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"134.87.21.47 - - [05/Mar/2023:15:51:28 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n134.87.21.47 - - [05/Mar/2023:15:51:29 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n134.87.21.47 - - [05/Mar/2023:15:51:30 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n134.87.21.47 - - [05/Mar/2023:15:51:31 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [03/Mar/2023:09:05:36 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [02/Mar/2023:14:58:22 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [03/Mar/2023:05:01:21 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"40.220.102.15 - - [03/Mar/2023:05:01:15 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:05:01:16 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:05:01:17 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:05:01:18 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [02/Mar/2023:04:50:14 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [01/Mar/2023:12:58:29 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"40.220.102.15 - - [01/Mar/2023:12:58:23 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [01/Mar/2023:12:58:24 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [01/Mar/2023:12:58:25 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [01/Mar/2023:12:58:26 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [08/Mar/2023:02:23:32 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [03/Mar/2023:12:51:26 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"54.10.24.5 - - [03/Mar/2023:12:51:20 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:12:51:21 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:12:51:22 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:12:51:23 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [03/Mar/2023:13:38:51 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [05/Mar/2023:11:01:05 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"16.4.20.20 - - [05/Mar/2023:11:04:40 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [01/Mar/2023:19:16:37 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"134.87.21.47 - - [01/Mar/2023:19:16:31 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [01/Mar/2023:19:16:32 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [01/Mar/2023:19:16:33 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [01/Mar/2023:19:16:34 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [01/Mar/2023:17:46:56 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [03/Mar/2023:05:51:26 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"134.87.21.47 - - [03/Mar/2023:05:51:20 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:05:51:21 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:05:51:22 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [03/Mar/2023:05:51:23 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [05/Mar/2023:21:11:32 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [06/Mar/2023:15:46:15 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"134.87.21.47 - - [06/Mar/2023:15:46:09 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:15:46:10 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:15:46:11 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:15:46:12 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [05/Mar/2023:02:00:30 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [07/Mar/2023:19:07:26 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"134.87.21.47 - - [04/Mar/2023:23:32:25 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [02/Mar/2023:04:46:20 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"187.80.4.18 - - [02/Mar/2023:04:46:14 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n187.80.4.18 - - [02/Mar/2023:04:46:15 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n187.80.4.18 - - [02/Mar/2023:04:46:16 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n187.80.4.18 - - [02/Mar/2023:04:46:17 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [04/Mar/2023:17:52:00 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [04/Mar/2023:18:21:04 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"16.4.20.20 - - [04/Mar/2023:18:20:58 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:18:20:59 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:18:21:00 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:18:21:01 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [03/Mar/2023:02:33:51 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [08/Mar/2023:03:57:25 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"","previous_output":"45.75.196.15 - - [08/Mar/2023:03:57:19 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [08/Mar/2023:03:57:20 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [08/Mar/2023:03:57:21 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\n45.75.196.15 - - [08/Mar/2023:03:57:22 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [05/Mar/2023:04:45:30 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [03/Mar/2023:15:55:11 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [03/Mar/2023:15:55:05 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:15:55:06 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:15:55:07 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:15:55:08 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:20:12:07 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [02/Mar/2023:04:25:21 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [06/Mar/2023:08:16:38 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [06/Mar/2023:08:16:32 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:08:16:33 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:08:16:34 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:08:16:35 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [07/Mar/2023:19:07:13 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"134.87.21.47 - - [07/Mar/2023:03:59:31 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [06/Mar/2023:00:40:10 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [01/Mar/2023:19:03:04 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [06/Mar/2023:19:49:00 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"40.220.102.15 - - [06/Mar/2023:19:48:54 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:19:48:55 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:19:48:56 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:19:48:57 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [03/Mar/2023:03:23:01 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [02/Mar/2023:04:41:06 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"54.10.24.5 - - [02/Mar/2023:04:41:00 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [02/Mar/2023:04:41:01 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [02/Mar/2023:04:41:02 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n54.10.24.5 - - [02/Mar/2023:04:41:03 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [06/Mar/2023:09:10:54 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"40.220.102.15 - - [06/Mar/2023:09:10:48 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:09:10:49 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:09:10:50 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:09:10:51 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [07/Mar/2023:08:57:39 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [07/Mar/2023:08:57:33 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:08:57:34 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:08:57:35 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [07/Mar/2023:08:57:36 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [04/Mar/2023:03:34:58 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [05/Mar/2023:13:21:42 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [01/Mar/2023:16:35:14 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [02/Mar/2023:06:12:13 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [08/Mar/2023:04:42:49 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"141.98.81.37 - - [08/Mar/2023:04:42:43 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [08/Mar/2023:04:42:44 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [08/Mar/2023:04:42:45 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [08/Mar/2023:04:42:46 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [03/Mar/2023:13:32:47 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [02/Mar/2023:21:07:48 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"45.124.37.241 - - [02/Mar/2023:21:07:42 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:21:07:43 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:21:07:44 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:21:07:45 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [07/Mar/2023:09:38:37 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [04/Mar/2023:11:25:38 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [01/Mar/2023:15:46:14 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"45.75.196.15 - - [01/Mar/2023:15:46:08 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [01/Mar/2023:15:46:09 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [01/Mar/2023:15:46:10 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [01/Mar/2023:15:46:11 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [04/Mar/2023:21:52:34 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [08/Mar/2023:03:34:25 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"45.124.37.241 - - [08/Mar/2023:03:34:19 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [08/Mar/2023:03:34:20 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [08/Mar/2023:03:34:21 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [08/Mar/2023:03:34:22 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [06/Mar/2023:09:37:34 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [06/Mar/2023:13:00:12 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"45.75.196.15 - - [06/Mar/2023:13:00:06 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:13:00:07 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:13:00:08 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:13:00:09 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [05/Mar/2023:09:17:25 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [06/Mar/2023:07:49:05 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"134.87.21.47 - - [06/Mar/2023:07:48:59 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [06/Mar/2023:07:49:00 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [06/Mar/2023:07:49:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n134.87.21.47 - - [06/Mar/2023:07:49:02 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [06/Mar/2023:14:05:41 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [03/Mar/2023:13:53:56 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [04/Mar/2023:07:54:36 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [07/Mar/2023:11:59:40 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [06/Mar/2023:21:08:02 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"45.75.196.15 - - [06/Mar/2023:21:07:56 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [06/Mar/2023:21:07:57 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [06/Mar/2023:21:07:58 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [06/Mar/2023:21:07:59 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [05/Mar/2023:21:28:29 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"45.75.196.15 - - [05/Mar/2023:21:28:23 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [05/Mar/2023:21:28:24 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [05/Mar/2023:21:28:25 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [05/Mar/2023:21:28:26 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [02/Mar/2023:17:43:03 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"16.4.20.20 - - [02/Mar/2023:17:42:57 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:17:42:58 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:17:42:59 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:17:43:00 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [04/Mar/2023:03:15:29 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [05/Mar/2023:08:41:01 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [04/Mar/2023:05:03:17 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"54.10.24.5 - - [04/Mar/2023:05:03:11 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n54.10.24.5 - - [04/Mar/2023:05:03:12 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n54.10.24.5 - - [04/Mar/2023:05:03:13 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n54.10.24.5 - - [04/Mar/2023:05:03:14 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [05/Mar/2023:12:55:30 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"54.10.24.5 - - [05/Mar/2023:12:55:24 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [05/Mar/2023:12:55:25 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [05/Mar/2023:12:55:26 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n54.10.24.5 - - [05/Mar/2023:12:55:27 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [06/Mar/2023:03:12:38 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"141.98.81.37 - - [06/Mar/2023:03:12:32 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [06/Mar/2023:03:12:33 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [06/Mar/2023:03:12:34 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n141.98.81.37 - - [06/Mar/2023:03:12:35 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [06/Mar/2023:22:25:34 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"45.124.37.241 - - [06/Mar/2023:22:25:28 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n45.124.37.241 - - [06/Mar/2023:22:25:29 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n45.124.37.241 - - [06/Mar/2023:22:25:30 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n45.124.37.241 - - [06/Mar/2023:22:25:31 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [07/Mar/2023:00:02:52 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"187.80.4.18 - - [07/Mar/2023:00:02:46 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:00:02:47 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:00:02:48 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n187.80.4.18 - - [07/Mar/2023:00:02:49 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [03/Mar/2023:02:52:18 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"187.80.4.18 - - [03/Mar/2023:02:52:12 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n187.80.4.18 - - [03/Mar/2023:02:52:13 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n187.80.4.18 - - [03/Mar/2023:02:52:14 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n187.80.4.18 - - [03/Mar/2023:02:52:15 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [04/Mar/2023:09:46:21 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"40.220.102.15 - - [04/Mar/2023:09:46:15 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [04/Mar/2023:09:46:16 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [04/Mar/2023:09:46:17 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [04/Mar/2023:09:46:18 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [01/Mar/2023:23:59:28 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [02/Mar/2023:12:30:10 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"40.220.102.15 - - [02/Mar/2023:12:30:04 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [02/Mar/2023:12:30:05 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [02/Mar/2023:12:30:06 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [02/Mar/2023:12:30:07 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [05/Mar/2023:17:09:48 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [04/Mar/2023:11:29:14 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [04/Mar/2023:08:44:02 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [05/Mar/2023:13:48:11 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"141.98.81.37 - - [05/Mar/2023:13:48:05 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [05/Mar/2023:13:48:06 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [05/Mar/2023:13:48:07 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n141.98.81.37 - - [05/Mar/2023:13:48:08 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [06/Mar/2023:10:51:27 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [04/Mar/2023:13:07:27 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"16.4.20.20 - - [04/Mar/2023:13:07:21 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:13:07:22 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:13:07:23 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:13:07:24 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [08/Mar/2023:07:16:56 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [08/Mar/2023:06:50:52 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [03/Mar/2023:14:10:02 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [05/Mar/2023:23:04:25 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [02/Mar/2023:17:21:21 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"16.4.20.20 - - [02/Mar/2023:17:21:15 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [02/Mar/2023:17:21:16 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [02/Mar/2023:17:21:17 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [02/Mar/2023:17:21:18 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [05/Mar/2023:05:11:38 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"187.80.4.18 - - [05/Mar/2023:05:11:32 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [05/Mar/2023:05:11:33 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [05/Mar/2023:05:11:34 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [05/Mar/2023:05:11:35 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [03/Mar/2023:09:38:03 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"40.220.102.15 - - [03/Mar/2023:09:37:57 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [03/Mar/2023:09:37:58 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [03/Mar/2023:09:37:59 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [03/Mar/2023:09:38:00 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [05/Mar/2023:09:54:53 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [05/Mar/2023:09:54:47 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:09:54:48 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:09:54:49 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [05/Mar/2023:09:54:50 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"134.87.21.47 - - [04/Mar/2023:19:19:54 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"134.87.21.47 - - [04/Mar/2023:19:19:48 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:19:19:49 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:19:19:50 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:19:19:51 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.75.196.15 - - [03/Mar/2023:12:53:03 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"45.75.196.15 - - [03/Mar/2023:12:52:57 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [03/Mar/2023:12:52:58 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [03/Mar/2023:12:52:59 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [03/Mar/2023:12:53:00 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [01/Mar/2023:10:54:19 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [02/Mar/2023:23:54:56 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"141.98.81.37 - - [02/Mar/2023:23:54:50 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n141.98.81.37 - - [02/Mar/2023:23:54:51 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n141.98.81.37 - - [02/Mar/2023:23:54:52 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n141.98.81.37 - - [02/Mar/2023:23:54:53 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [03/Mar/2023:20:29:46 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"134.87.21.47 - - [03/Mar/2023:20:29:40 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [03/Mar/2023:20:29:41 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [03/Mar/2023:20:29:42 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n134.87.21.47 - - [03/Mar/2023:20:29:43 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [07/Mar/2023:00:09:36 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"40.220.102.15 - - [07/Mar/2023:00:09:30 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [07/Mar/2023:00:09:31 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [07/Mar/2023:00:09:32 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [07/Mar/2023:00:09:33 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.124.37.241 - - [02/Mar/2023:00:02:37 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"45.124.37.241 - - [02/Mar/2023:00:02:31 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.124.37.241 - - [02/Mar/2023:00:02:32 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.124.37.241 - - [02/Mar/2023:00:02:33 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.124.37.241 - - [02/Mar/2023:00:02:34 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [05/Mar/2023:12:45:05 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"54.10.24.5 - - [05/Mar/2023:12:44:59 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [05/Mar/2023:12:45:00 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [05/Mar/2023:12:45:01 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [05/Mar/2023:12:45:02 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [03/Mar/2023:20:32:39 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"54.10.24.5 - - [03/Mar/2023:20:32:33 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:20:32:34 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:20:32:35 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:20:32:36 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [06/Mar/2023:07:37:26 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"141.98.81.37 - - [06/Mar/2023:07:37:20 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:07:37:21 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:07:37:22 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n141.98.81.37 - - [06/Mar/2023:07:37:23 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [03/Mar/2023:10:53:25 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [03/Mar/2023:10:53:19 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:10:53:20 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:10:53:21 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n54.10.24.5 - - [03/Mar/2023:10:53:22 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [04/Mar/2023:05:31:12 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"16.4.20.20 - - [04/Mar/2023:05:31:06 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:05:31:07 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:05:31:08 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [04/Mar/2023:05:31:09 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [04/Mar/2023:21:04:33 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"45.124.37.241 - - [04/Mar/2023:21:04:27 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.124.37.241 - - [04/Mar/2023:21:04:28 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.124.37.241 - - [04/Mar/2023:21:04:29 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.124.37.241 - - [04/Mar/2023:21:04:30 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [03/Mar/2023:18:40:26 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"141.98.81.37 - - [03/Mar/2023:18:40:20 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [03/Mar/2023:18:40:21 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [03/Mar/2023:18:40:22 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [03/Mar/2023:18:40:23 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [08/Mar/2023:07:02:49 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [02/Mar/2023:03:37:42 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"40.220.102.15 - - [02/Mar/2023:03:37:36 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:03:37:37 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:03:37:38 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n40.220.102.15 - - [02/Mar/2023:03:37:39 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [05/Mar/2023:07:34:48 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [06/Mar/2023:21:10:28 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [06/Mar/2023:08:20:24 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [06/Mar/2023:13:59:49 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [07/Mar/2023:13:26:54 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [07/Mar/2023:22:07:46 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [05/Mar/2023:15:22:21 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"187.80.4.18 - - [05/Mar/2023:15:22:15 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:15:22:16 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:15:22:17 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n187.80.4.18 - - [05/Mar/2023:15:22:18 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [03/Mar/2023:12:03:32 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [05/Mar/2023:16:45:53 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"54.10.24.5 - - [05/Mar/2023:16:45:47 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [05/Mar/2023:16:45:48 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [05/Mar/2023:16:45:49 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [05/Mar/2023:16:45:50 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"187.80.4.18 - - [07/Mar/2023:01:12:55 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [07/Mar/2023:03:42:21 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [07/Mar/2023:04:00:55 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"54.10.24.5 - - [07/Mar/2023:04:00:49 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [07/Mar/2023:04:00:50 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [07/Mar/2023:04:00:51 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [07/Mar/2023:04:00:52 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [05/Mar/2023:11:17:38 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [01/Mar/2023:16:31:40 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"187.80.4.18 - - [01/Mar/2023:16:31:34 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:16:31:35 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:16:31:36 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n187.80.4.18 - - [01/Mar/2023:16:31:37 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [07/Mar/2023:22:12:56 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"40.220.102.15 - - [07/Mar/2023:22:12:50 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:22:12:51 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:22:12:52 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:22:12:53 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [07/Mar/2023:05:04:29 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"134.87.21.47 - - [07/Mar/2023:05:04:23 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:05:04:24 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:05:04:25 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n134.87.21.47 - - [07/Mar/2023:05:04:26 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [07/Mar/2023:03:28:27 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"141.98.81.37 - - [07/Mar/2023:03:28:21 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [07/Mar/2023:03:28:22 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [07/Mar/2023:03:28:23 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [07/Mar/2023:03:28:24 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [04/Mar/2023:21:43:03 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"134.87.21.47 - - [04/Mar/2023:21:42:57 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [04/Mar/2023:21:42:58 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [04/Mar/2023:21:42:59 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [04/Mar/2023:21:43:00 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [05/Mar/2023:20:49:35 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [03/Mar/2023:17:11:47 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [06/Mar/2023:07:02:13 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"141.98.81.37 - - [06/Mar/2023:07:02:07 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [06/Mar/2023:07:02:08 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [06/Mar/2023:07:02:09 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [06/Mar/2023:07:02:10 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [06/Mar/2023:16:29:09 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [02/Mar/2023:02:19:43 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"187.80.4.18 - - [02/Mar/2023:02:19:37 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n187.80.4.18 - - [02/Mar/2023:02:19:38 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n187.80.4.18 - - [02/Mar/2023:02:19:39 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n187.80.4.18 - - [02/Mar/2023:02:19:40 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [06/Mar/2023:21:07:37 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"40.220.102.15 - - [06/Mar/2023:21:07:31 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:21:07:32 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:21:07:33 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n40.220.102.15 - - [06/Mar/2023:21:07:34 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [08/Mar/2023:05:09:59 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [04/Mar/2023:20:40:42 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [05/Mar/2023:02:51:58 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"141.98.81.37 - - [05/Mar/2023:02:51:52 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [05/Mar/2023:02:51:53 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [05/Mar/2023:02:51:54 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n141.98.81.37 - - [05/Mar/2023:02:51:55 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.75.196.15 - - [04/Mar/2023:22:29:34 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"45.75.196.15 - - [04/Mar/2023:22:29:28 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:22:29:29 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:22:29:30 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:22:29:31 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [04/Mar/2023:12:49:30 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"54.10.24.5 - - [04/Mar/2023:12:49:24 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [04/Mar/2023:12:49:25 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [04/Mar/2023:12:49:26 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n54.10.24.5 - - [04/Mar/2023:12:49:27 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [02/Mar/2023:05:32:08 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [05/Mar/2023:22:15:37 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"54.10.24.5 - - [05/Mar/2023:22:15:31 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [05/Mar/2023:22:15:32 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [05/Mar/2023:22:15:33 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n54.10.24.5 - - [05/Mar/2023:22:15:34 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [06/Mar/2023:08:00:21 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [04/Mar/2023:04:37:41 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"40.220.102.15 - - [04/Mar/2023:04:37:35 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n40.220.102.15 - - [04/Mar/2023:04:37:36 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n40.220.102.15 - - [04/Mar/2023:04:37:37 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n40.220.102.15 - - [04/Mar/2023:04:37:38 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [02/Mar/2023:17:02:44 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [06/Mar/2023:18:33:51 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [03/Mar/2023:08:07:50 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"141.98.81.37 - - [03/Mar/2023:08:07:44 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [03/Mar/2023:08:07:45 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [03/Mar/2023:08:07:46 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n141.98.81.37 - - [03/Mar/2023:08:07:47 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [07/Mar/2023:15:09:50 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [04/Mar/2023:12:23:42 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"141.98.81.37 - - [07/Mar/2023:04:19:51 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"141.98.81.37 - - [07/Mar/2023:04:19:45 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n141.98.81.37 - - [07/Mar/2023:04:19:46 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n141.98.81.37 - - [07/Mar/2023:04:19:47 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n141.98.81.37 - - [07/Mar/2023:04:19:48 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"40.220.102.15 - - [01/Mar/2023:13:22:24 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [06/Mar/2023:04:37:57 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [07/Mar/2023:17:30:40 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [02/Mar/2023:00:00:03 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [04/Mar/2023:14:15:04 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"40.220.102.15 - - [04/Mar/2023:14:14:58 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:14:14:59 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:14:15:00 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n40.220.102.15 - - [04/Mar/2023:14:15:01 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [02/Mar/2023:06:31:25 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"141.98.81.37 - - [02/Mar/2023:06:31:19 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [02/Mar/2023:06:31:20 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [02/Mar/2023:06:31:21 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [02/Mar/2023:06:31:22 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [04/Mar/2023:03:36:31 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [03/Mar/2023:08:36:59 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"16.4.20.20 - - [03/Mar/2023:08:36:53 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n16.4.20.20 - - [03/Mar/2023:08:36:54 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n16.4.20.20 - - [03/Mar/2023:08:36:55 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n16.4.20.20 - - [03/Mar/2023:08:36:56 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [06/Mar/2023:21:31:56 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [01/Mar/2023:23:19:43 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"45.75.196.15 - - [01/Mar/2023:23:19:37 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [01/Mar/2023:23:19:38 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [01/Mar/2023:23:19:39 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [01/Mar/2023:23:19:40 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [07/Mar/2023:16:39:12 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [04/Mar/2023:09:33:54 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.124.37.241 - - [04/Mar/2023:08:57:45 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [04/Mar/2023:03:21:17 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [03/Mar/2023:19:32:20 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [05/Mar/2023:12:14:58 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [07/Mar/2023:09:36:27 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [04/Mar/2023:22:28:08 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [05/Mar/2023:20:33:44 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.75.196.15 - - [05/Mar/2023:20:33:38 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:20:33:39 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:20:33:40 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:20:33:41 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [01/Mar/2023:14:35:06 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"45.124.37.241 - - [01/Mar/2023:14:35:00 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [01/Mar/2023:14:35:01 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [01/Mar/2023:14:35:02 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [01/Mar/2023:14:35:03 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [05/Mar/2023:08:58:42 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [04/Mar/2023:14:25:14 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"187.80.4.18 - - [04/Mar/2023:14:25:08 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [04/Mar/2023:14:25:09 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [04/Mar/2023:14:25:10 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [04/Mar/2023:14:25:11 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:07:35:25 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"134.87.21.47 - - [06/Mar/2023:07:35:19 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [06/Mar/2023:07:35:20 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [06/Mar/2023:07:35:21 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [06/Mar/2023:07:35:22 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"134.87.21.47 - - [06/Mar/2023:03:29:23 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [02/Mar/2023:18:04:56 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"16.4.20.20 - - [02/Mar/2023:18:04:50 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n16.4.20.20 - - [02/Mar/2023:18:04:51 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n16.4.20.20 - - [02/Mar/2023:18:04:52 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n16.4.20.20 - - [02/Mar/2023:18:04:53 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [08/Mar/2023:08:01:15 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"16.4.20.20 - - [08/Mar/2023:08:01:09 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n16.4.20.20 - - [08/Mar/2023:08:01:10 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n16.4.20.20 - - [08/Mar/2023:08:01:11 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n16.4.20.20 - - [08/Mar/2023:08:01:12 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [04/Mar/2023:15:46:11 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"16.4.20.20 - - [04/Mar/2023:15:46:05 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n16.4.20.20 - - [04/Mar/2023:15:46:06 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n16.4.20.20 - - [04/Mar/2023:15:46:07 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n16.4.20.20 - - [04/Mar/2023:15:46:08 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [01/Mar/2023:11:03:39 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"16.4.20.20 - - [01/Mar/2023:11:03:33 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:11:03:34 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:11:03:35 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:11:03:36 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [02/Mar/2023:07:44:55 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [04/Mar/2023:20:12:57 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"45.75.196.15 - - [04/Mar/2023:20:12:51 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n45.75.196.15 - - [04/Mar/2023:20:12:52 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n45.75.196.15 - - [04/Mar/2023:20:12:53 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n45.75.196.15 - - [04/Mar/2023:20:12:54 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [06/Mar/2023:21:55:42 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"134.87.21.47 - - [06/Mar/2023:21:55:36 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [06/Mar/2023:21:55:37 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [06/Mar/2023:21:55:38 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [06/Mar/2023:21:55:39 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [05/Mar/2023:07:32:42 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"134.87.21.47 - - [05/Mar/2023:07:32:36 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [05/Mar/2023:07:32:37 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [05/Mar/2023:07:32:38 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n134.87.21.47 - - [05/Mar/2023:07:32:39 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [06/Mar/2023:20:14:27 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"134.87.21.47 - - [06/Mar/2023:20:14:21 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:20:14:22 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:20:14:23 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:20:14:24 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [01/Mar/2023:09:30:18 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"16.4.20.20 - - [01/Mar/2023:09:30:12 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:09:30:13 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:09:30:14 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n16.4.20.20 - - [01/Mar/2023:09:30:15 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [07/Mar/2023:04:35:13 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"40.220.102.15 - - [07/Mar/2023:04:35:07 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [07/Mar/2023:04:35:08 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [07/Mar/2023:04:35:09 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n40.220.102.15 - - [07/Mar/2023:04:35:10 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [04/Mar/2023:18:37:52 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"45.124.37.241 - - [04/Mar/2023:18:37:46 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [04/Mar/2023:18:37:47 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [04/Mar/2023:18:37:48 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n45.124.37.241 - - [04/Mar/2023:18:37:49 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"187.80.4.18 - - [04/Mar/2023:11:43:53 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"187.80.4.18 - - [04/Mar/2023:11:43:47 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n187.80.4.18 - - [04/Mar/2023:11:43:48 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n187.80.4.18 - - [04/Mar/2023:11:43:49 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n187.80.4.18 - - [04/Mar/2023:11:43:50 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [06/Mar/2023:23:31:14 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:21:43:31 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [02/Mar/2023:22:08:09 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"","previous_output":"45.75.196.15 - - [02/Mar/2023:22:08:03 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [02/Mar/2023:22:08:04 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [02/Mar/2023:22:08:05 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\"\n45.75.196.15 - - [02/Mar/2023:22:08:06 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [03/Mar/2023:18:49:12 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"45.75.196.15 - - [03/Mar/2023:18:49:06 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [03/Mar/2023:18:49:07 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [03/Mar/2023:18:49:08 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n45.75.196.15 - - [03/Mar/2023:18:49:09 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"16.4.20.20 - - [05/Mar/2023:04:36:52 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"40.220.102.15 - - [07/Mar/2023:23:22:36 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"40.220.102.15 - - [07/Mar/2023:23:22:30 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:23:22:31 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:23:22:32 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:23:22:33 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [07/Mar/2023:13:39:15 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [04/Mar/2023:22:20:05 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"187.80.4.18 - - [03/Mar/2023:02:00:53 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"187.80.4.18 - - [03/Mar/2023:02:00:47 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [03/Mar/2023:02:00:48 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [03/Mar/2023:02:00:49 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n187.80.4.18 - - [03/Mar/2023:02:00:50 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [04/Mar/2023:20:51:48 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"16.4.20.20 - - [04/Mar/2023:20:51:42 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n16.4.20.20 - - [04/Mar/2023:20:51:43 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n16.4.20.20 - - [04/Mar/2023:20:51:44 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n16.4.20.20 - - [04/Mar/2023:20:51:45 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"134.87.21.47 - - [04/Mar/2023:16:35:39 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"134.87.21.47 - - [04/Mar/2023:16:35:33 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:16:35:34 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:16:35:35 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:16:35:36 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [02/Mar/2023:11:53:29 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"16.4.20.20 - - [01/Mar/2023:10:05:37 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"187.80.4.18 - - [04/Mar/2023:05:22:18 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"187.80.4.18 - - [04/Mar/2023:05:22:12 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [04/Mar/2023:05:22:13 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [04/Mar/2023:05:22:14 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [04/Mar/2023:05:22:15 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [06/Mar/2023:18:26:16 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"45.75.196.15 - - [06/Mar/2023:18:26:10 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [06/Mar/2023:18:26:11 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [06/Mar/2023:18:26:12 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.75.196.15 - - [06/Mar/2023:18:26:13 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [06/Mar/2023:15:28:35 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"54.10.24.5 - - [07/Mar/2023:02:02:23 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"54.10.24.5 - - [08/Mar/2023:09:01:59 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"54.10.24.5 - - [08/Mar/2023:09:01:53 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n54.10.24.5 - - [08/Mar/2023:09:01:54 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n54.10.24.5 - - [08/Mar/2023:09:01:55 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n54.10.24.5 - - [08/Mar/2023:09:01:56 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"45.124.37.241 - - [08/Mar/2023:02:40:39 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [02/Mar/2023:14:06:46 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [03/Mar/2023:22:56:25 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"134.87.21.47 - - [07/Mar/2023:05:18:56 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"40.220.102.15 - - [02/Mar/2023:15:28:01 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [02/Mar/2023:04:42:20 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"40.220.102.15 - - [07/Mar/2023:05:45:51 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"40.220.102.15 - - [07/Mar/2023:05:45:45 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n40.220.102.15 - - [07/Mar/2023:05:45:46 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n40.220.102.15 - - [07/Mar/2023:05:45:47 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n40.220.102.15 - - [07/Mar/2023:05:45:48 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [04/Mar/2023:06:11:01 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"54.10.24.5 - - [04/Mar/2023:06:10:55 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [04/Mar/2023:06:10:56 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [04/Mar/2023:06:10:57 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n54.10.24.5 - - [04/Mar/2023:06:10:58 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"40.220.102.15 - - [07/Mar/2023:08:32:15 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"40.220.102.15 - - [07/Mar/2023:08:32:09 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:08:32:10 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:08:32:11 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n40.220.102.15 - - [07/Mar/2023:08:32:12 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [07/Mar/2023:06:49:04 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"16.4.20.20 - - [07/Mar/2023:06:48:58 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [07/Mar/2023:06:48:59 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [07/Mar/2023:06:49:00 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n16.4.20.20 - - [07/Mar/2023:06:49:01 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [03/Mar/2023:14:53:22 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [07/Mar/2023:19:38:25 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"134.87.21.47 - - [07/Mar/2023:20:02:37 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"134.87.21.47 - - [07/Mar/2023:20:02:31 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [07/Mar/2023:20:02:32 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [07/Mar/2023:20:02:33 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n134.87.21.47 - - [07/Mar/2023:20:02:34 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [05/Mar/2023:00:16:51 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"45.75.196.15 - - [05/Mar/2023:00:16:45 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [05/Mar/2023:00:16:46 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [05/Mar/2023:00:16:47 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n45.75.196.15 - - [05/Mar/2023:00:16:48 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [03/Mar/2023:17:46:44 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [04/Mar/2023:02:44:57 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"40.220.102.15 - - [03/Mar/2023:08:17:00 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"40.220.102.15 - - [03/Mar/2023:08:16:54 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [03/Mar/2023:08:16:55 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [03/Mar/2023:08:16:56 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n40.220.102.15 - - [03/Mar/2023:08:16:57 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [08/Mar/2023:01:52:04 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [06/Mar/2023:19:51:30 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"54.10.24.5 - - [02/Mar/2023:09:23:14 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [06/Mar/2023:17:37:26 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [07/Mar/2023:11:48:12 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [03/Mar/2023:14:48:01 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"187.80.4.18 - - [03/Mar/2023:14:47:55 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:14:47:56 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:14:47:57 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n187.80.4.18 - - [03/Mar/2023:14:47:58 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [06/Mar/2023:04:55:41 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [04/Mar/2023:11:09:41 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"40.220.102.15 - - [04/Mar/2023:11:09:35 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n40.220.102.15 - - [04/Mar/2023:11:09:36 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n40.220.102.15 - - [04/Mar/2023:11:09:37 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n40.220.102.15 - - [04/Mar/2023:11:09:38 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [07/Mar/2023:13:56:58 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"16.4.20.20 - - [07/Mar/2023:13:56:52 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [07/Mar/2023:13:56:53 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [07/Mar/2023:13:56:54 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [07/Mar/2023:13:56:55 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [08/Mar/2023:05:24:11 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [05/Mar/2023:06:13:27 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.75.196.15 - - [05/Mar/2023:06:13:21 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:06:13:22 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:06:13:23 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [05/Mar/2023:06:13:24 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [04/Mar/2023:22:42:44 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"40.220.102.15 - - [04/Mar/2023:22:42:38 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [04/Mar/2023:22:42:39 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [04/Mar/2023:22:42:40 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n40.220.102.15 - - [04/Mar/2023:22:42:41 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [03/Mar/2023:10:06:13 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.75.196.15 - - [01/Mar/2023:18:39:20 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"45.75.196.15 - - [01/Mar/2023:18:39:14 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n45.75.196.15 - - [01/Mar/2023:18:39:15 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n45.75.196.15 - - [01/Mar/2023:18:39:16 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n45.75.196.15 - - [01/Mar/2023:18:39:17 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [03/Mar/2023:10:54:20 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [02/Mar/2023:04:46:22 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"","previous_output":"45.124.37.241 - - [02/Mar/2023:04:46:16 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:04:46:17 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:04:46:18 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:04:46:19 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [07/Mar/2023:12:29:12 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"16.4.20.20 - - [03/Mar/2023:06:39:27 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"16.4.20.20 - - [03/Mar/2023:06:39:21 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:06:39:22 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:06:39:23 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n16.4.20.20 - - [03/Mar/2023:06:39:24 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [02/Mar/2023:19:25:26 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"54.10.24.5 - - [02/Mar/2023:19:25:20 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [02/Mar/2023:19:25:21 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [02/Mar/2023:19:25:22 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n54.10.24.5 - - [02/Mar/2023:19:25:23 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [03/Mar/2023:12:47:18 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"141.98.81.37 - - [03/Mar/2023:12:47:12 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [03/Mar/2023:12:47:13 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [03/Mar/2023:12:47:14 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n141.98.81.37 - - [03/Mar/2023:12:47:15 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"16.4.20.20 - - [08/Mar/2023:06:56:58 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [02/Mar/2023:22:32:53 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"16.4.20.20 - - [02/Mar/2023:22:32:47 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:22:32:48 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:22:32:49 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:22:32:50 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [04/Mar/2023:07:09:06 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"","previous_output":"134.87.21.47 - - [04/Mar/2023:07:09:00 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:07:09:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:07:09:02 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\"\n134.87.21.47 - - [04/Mar/2023:07:09:03 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"16.4.20.20 - - [06/Mar/2023:11:37:04 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [07/Mar/2023:18:58:43 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"45.124.37.241 - - [07/Mar/2023:18:58:37 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:18:58:38 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:18:58:39 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.124.37.241 - - [07/Mar/2023:18:58:40 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [04/Mar/2023:00:31:46 +0000] \"GET / HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [03/Mar/2023:14:43:06 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"","previous_output":"45.75.196.15 - - [03/Mar/2023:14:43:00 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.75.196.15 - - [03/Mar/2023:14:43:01 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.75.196.15 - - [03/Mar/2023:14:43:02 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\"\n45.75.196.15 - - [03/Mar/2023:14:43:03 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [04/Mar/2023:19:27:09 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [02/Mar/2023:09:32:38 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"45.75.196.15 - - [02/Mar/2023:09:32:32 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [02/Mar/2023:09:32:33 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [02/Mar/2023:09:32:34 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [02/Mar/2023:09:32:35 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [06/Mar/2023:20:16:00 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"54.10.24.5 - - [06/Mar/2023:20:15:54 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n54.10.24.5 - - [06/Mar/2023:20:15:55 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n54.10.24.5 - - [06/Mar/2023:20:15:56 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n54.10.24.5 - - [06/Mar/2023:20:15:57 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [07/Mar/2023:03:27:09 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"","previous_output":"45.75.196.15 - - [07/Mar/2023:03:27:03 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:03:27:04 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:03:27:05 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\"\n45.75.196.15 - - [07/Mar/2023:03:27:06 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"45.75.196.15 - - [04/Mar/2023:21:48:54 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.75.196.15 - - [04/Mar/2023:21:48:48 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:21:48:49 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:21:48:50 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.75.196.15 - - [04/Mar/2023:21:48:51 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [05/Mar/2023:18:21:34 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [04/Mar/2023:10:37:34 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"","previous_output":"134.87.21.47 - - [04/Mar/2023:10:37:28 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [04/Mar/2023:10:37:29 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [04/Mar/2023:10:37:30 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\"\n134.87.21.47 - - [04/Mar/2023:10:37:31 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"16.4.20.20 - - [06/Mar/2023:08:07:45 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"134.87.21.47 - - [02/Mar/2023:04:31:28 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"134.87.21.47 - - [06/Mar/2023:12:09:23 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [02/Mar/2023:17:55:50 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"","previous_output":"40.220.102.15 - - [02/Mar/2023:17:55:44 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:17:55:45 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:17:55:46 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\"\n40.220.102.15 - - [02/Mar/2023:17:55:47 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [01/Mar/2023:17:33:00 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [04/Mar/2023:10:31:30 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"134.87.21.47 - - [07/Mar/2023:00:27:22 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"134.87.21.47 - - [07/Mar/2023:00:27:16 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [07/Mar/2023:00:27:17 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [07/Mar/2023:00:27:18 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n134.87.21.47 - - [07/Mar/2023:00:27:19 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [08/Mar/2023:01:17:44 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [06/Mar/2023:08:33:01 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [02/Mar/2023:19:36:58 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"141.98.81.37 - - [02/Mar/2023:00:27:09 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"141.98.81.37 - - [02/Mar/2023:00:27:03 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [02/Mar/2023:00:27:04 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [02/Mar/2023:00:27:05 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [02/Mar/2023:00:27:06 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"134.87.21.47 - - [06/Mar/2023:01:38:29 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"134.87.21.47 - - [06/Mar/2023:01:38:23 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:01:38:24 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:01:38:25 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [06/Mar/2023:01:38:26 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [01/Mar/2023:11:06:49 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"45.75.196.15 - - [01/Mar/2023:11:06:43 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [01/Mar/2023:11:06:44 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [01/Mar/2023:11:06:45 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n45.75.196.15 - - [01/Mar/2023:11:06:46 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [06/Mar/2023:14:00:16 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"54.10.24.5 - - [03/Mar/2023:20:10:53 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"54.10.24.5 - - [03/Mar/2023:20:10:47 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [03/Mar/2023:20:10:48 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [03/Mar/2023:20:10:49 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n54.10.24.5 - - [03/Mar/2023:20:10:50 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"141.98.81.37 - - [05/Mar/2023:06:08:26 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"141.98.81.37 - - [05/Mar/2023:06:08:20 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [05/Mar/2023:06:08:21 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [05/Mar/2023:06:08:22 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n141.98.81.37 - - [05/Mar/2023:06:08:23 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [05/Mar/2023:11:32:00 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/sqlweb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"45.124.37.241 - - [03/Mar/2023:14:54:40 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"45.124.37.241 - - [03/Mar/2023:14:54:34 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n45.124.37.241 - - [03/Mar/2023:14:54:35 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n45.124.37.241 - - [03/Mar/2023:14:54:36 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n45.124.37.241 - - [03/Mar/2023:14:54:37 +0000] \"GET /sql/sqlweb/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"54.10.24.5 - - [06/Mar/2023:13:21:24 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [02/Mar/2023:02:51:17 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"134.87.21.47 - - [02/Mar/2023:02:51:11 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [02/Mar/2023:02:51:12 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [02/Mar/2023:02:51:13 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n134.87.21.47 - - [02/Mar/2023:02:51:14 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [04/Mar/2023:06:54:33 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"","previous_output":"54.10.24.5 - - [04/Mar/2023:06:54:27 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:06:54:28 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:06:54:29 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\"\n54.10.24.5 - - [04/Mar/2023:06:54:30 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [04/Mar/2023:11:09:57 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"","previous_output":"45.124.37.241 - - [04/Mar/2023:11:09:51 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [04/Mar/2023:11:09:52 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [04/Mar/2023:11:09:53 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\"\n45.124.37.241 - - [04/Mar/2023:11:09:54 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.EU\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [02/Mar/2023:02:42:09 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"45.75.196.15 - - [02/Mar/2023:02:42:03 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.75.196.15 - - [02/Mar/2023:02:42:04 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.75.196.15 - - [02/Mar/2023:02:42:05 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n45.75.196.15 - - [02/Mar/2023:02:42:06 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [06/Mar/2023:14:46:24 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"","previous_output":"187.80.4.18 - - [06/Mar/2023:14:46:18 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:14:46:19 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:14:46:20 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\"\n187.80.4.18 - - [06/Mar/2023:14:46:21 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [03/Mar/2023:21:05:41 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"141.98.81.37 - - [03/Mar/2023:08:06:38 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"","previous_output":"141.98.81.37 - - [03/Mar/2023:08:06:32 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n141.98.81.37 - - [03/Mar/2023:08:06:33 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n141.98.81.37 - - [03/Mar/2023:08:06:34 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\"\n141.98.81.37 - - [03/Mar/2023:08:06:35 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [04/Mar/2023:06:06:15 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [04/Mar/2023:02:39:05 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"16.4.20.20 - - [04/Mar/2023:02:38:59 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n16.4.20.20 - - [04/Mar/2023:02:39:00 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n16.4.20.20 - - [04/Mar/2023:02:39:01 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n16.4.20.20 - - [04/Mar/2023:02:39:02 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [06/Mar/2023:05:54:05 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"45.75.196.15 - - [06/Mar/2023:05:53:59 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:05:54:00 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:05:54:01 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.75.196.15 - - [06/Mar/2023:05:54:02 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [07/Mar/2023:10:34:57 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [01/Mar/2023:19:05:13 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"","previous_output":"16.4.20.20 - - [01/Mar/2023:19:05:07 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n16.4.20.20 - - [01/Mar/2023:19:05:08 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n16.4.20.20 - - [01/Mar/2023:19:05:09 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\"\n16.4.20.20 - - [01/Mar/2023:19:05:10 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"187.80.4.18 - - [06/Mar/2023:17:16:23 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"54.10.24.5 - - [06/Mar/2023:17:05:16 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"187.80.4.18 - - [07/Mar/2023:03:10:40 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"187.80.4.18 - - [07/Mar/2023:03:10:34 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n187.80.4.18 - - [07/Mar/2023:03:10:35 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n187.80.4.18 - - [07/Mar/2023:03:10:36 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n187.80.4.18 - - [07/Mar/2023:03:10:37 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"134.87.21.47 - - [04/Mar/2023:06:39:37 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"134.87.21.47 - - [04/Mar/2023:06:39:31 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [04/Mar/2023:06:39:32 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [04/Mar/2023:06:39:33 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n134.87.21.47 - - [04/Mar/2023:06:39:34 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"54.10.24.5 - - [06/Mar/2023:11:20:22 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"54.10.24.5 - - [06/Mar/2023:11:20:16 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:11:20:17 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:11:20:18 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n54.10.24.5 - - [06/Mar/2023:11:20:19 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"45.75.196.15 - - [02/Mar/2023:20:43:07 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [01/Mar/2023:23:47:48 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"45.124.37.241 - - [01/Mar/2023:23:47:42 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n45.124.37.241 - - [01/Mar/2023:23:47:43 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n45.124.37.241 - - [01/Mar/2023:23:47:44 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n45.124.37.241 - - [01/Mar/2023:23:47:45 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [02/Mar/2023:01:23:13 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [01/Mar/2023:15:27:59 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"","previous_output":"45.124.37.241 - - [01/Mar/2023:15:27:53 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.124.37.241 - - [01/Mar/2023:15:27:54 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.124.37.241 - - [01/Mar/2023:15:27:55 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\"\n45.124.37.241 - - [01/Mar/2023:15:27:56 +0000] \"GET /index.asp HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [01/Mar/2023:22:48:17 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [06/Mar/2023:13:34:02 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"16.4.20.20 - - [04/Mar/2023:10:52:30 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"54.10.24.5 - - [01/Mar/2023:22:44:39 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G955U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"40.220.102.15 - - [05/Mar/2023:04:34:45 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [04/Mar/2023:01:15:58 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [02/Mar/2023:03:46:59 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.124.37.241 - - [02/Mar/2023:02:00:31 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"54.10.24.5 - - [03/Mar/2023:23:03:33 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"40.220.102.15 - - [03/Mar/2023:19:50:31 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"","previous_output":"40.220.102.15 - - [03/Mar/2023:19:50:25 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n40.220.102.15 - - [03/Mar/2023:19:50:26 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n40.220.102.15 - - [03/Mar/2023:19:50:27 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\"\n40.220.102.15 - - [03/Mar/2023:19:50:28 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"40.220.102.15 - - [03/Mar/2023:09:47:39 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"","previous_output":"40.220.102.15 - - [03/Mar/2023:09:47:33 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:09:47:34 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:09:47:35 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\"\n40.220.102.15 - - [03/Mar/2023:09:47:36 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [08/Mar/2023:05:27:57 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"","previous_output":"141.98.81.37 - - [08/Mar/2023:05:27:51 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [08/Mar/2023:05:27:52 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [08/Mar/2023:05:27:53 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\"\n141.98.81.37 - - [08/Mar/2023:05:27:54 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/db/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.124.37.241 - - [02/Mar/2023:03:44:55 +0000] \"GET /administrator/db/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [02/Mar/2023:03:56:10 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"45.124.37.241 - - [02/Mar/2023:03:56:04 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:03:56:05 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:03:56:06 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n45.124.37.241 - - [02/Mar/2023:03:56:07 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.75.196.15 - - [04/Mar/2023:00:26:19 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"45.75.196.15 - - [04/Mar/2023:00:26:13 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:00:26:14 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:00:26:15 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n45.75.196.15 - - [04/Mar/2023:00:26:16 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"40.220.102.15","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"40.220.102.15 - - [06/Mar/2023:23:29:55 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"40.220.102.15 - - [06/Mar/2023:23:29:49 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [06/Mar/2023:23:29:50 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [06/Mar/2023:23:29:51 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n40.220.102.15 - - [06/Mar/2023:23:29:52 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [07/Mar/2023:19:43:13 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [03/Mar/2023:06:52:25 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"141.98.81.37 - - [03/Mar/2023:06:52:19 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [03/Mar/2023:06:52:20 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [03/Mar/2023:06:52:21 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [03/Mar/2023:06:52:22 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"16.4.20.20 - - [06/Mar/2023:17:56:14 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"","previous_output":"16.4.20.20 - - [06/Mar/2023:17:56:08 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [06/Mar/2023:17:56:09 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [06/Mar/2023:17:56:10 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\"\n16.4.20.20 - - [06/Mar/2023:17:56:11 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/db/myadmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [05/Mar/2023:23:54:34 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"","previous_output":"141.98.81.37 - - [05/Mar/2023:23:54:28 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n141.98.81.37 - - [05/Mar/2023:23:54:29 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n141.98.81.37 - - [05/Mar/2023:23:54:30 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\"\n141.98.81.37 - - [05/Mar/2023:23:54:31 +0000] \"GET /db/myadmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"},"full_log":"141.98.81.37 - - [01/Mar/2023:20:25:35 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"","previous_output":"141.98.81.37 - - [01/Mar/2023:20:25:29 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [01/Mar/2023:20:25:30 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [01/Mar/2023:20:25:31 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\"\n141.98.81.37 - - [01/Mar/2023:20:25:32 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-A310F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 OPR/42.7.2246.114996\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"134.87.21.47 - - [08/Mar/2023:08:19:56 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"134.87.21.47 - - [08/Mar/2023:08:19:50 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [08/Mar/2023:08:19:51 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [08/Mar/2023:08:19:52 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n134.87.21.47 - - [08/Mar/2023:08:19:53 +0000] \"GET /index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"141.98.81.37 - - [01/Mar/2023:21:12:43 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/index.asp"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.75.196.15 - - [07/Mar/2023:19:12:30 +0000] \"GET /index.asp HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [05/Mar/2023:05:05:54 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"","previous_output":"45.75.196.15 - - [05/Mar/2023:05:05:48 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n45.75.196.15 - - [05/Mar/2023:05:05:49 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n45.75.196.15 - - [05/Mar/2023:05:05:50 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\"\n45.75.196.15 - - [05/Mar/2023:05:05:51 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; U; Android 7.0; en-us; MI 5 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.146 Mobile Safari/537.36 XiaoMi/MiuiBrowser/9.0.3\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [03/Mar/2023:19:16:51 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"187.80.4.18 - - [06/Mar/2023:06:58:52 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"","previous_output":"187.80.4.18 - - [06/Mar/2023:06:58:46 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:06:58:47 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:06:58:48 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\"\n187.80.4.18 - - [06/Mar/2023:06:58:49 +0000] \"GET / HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.124.37.241 - - [05/Mar/2023:15:45:26 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"","previous_output":"45.124.37.241 - - [05/Mar/2023:15:45:20 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:15:45:21 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:15:45:22 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\"\n45.124.37.241 - - [05/Mar/2023:15:45:23 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; SM-T827R4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.116 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"187.80.4.18 - - [05/Mar/2023:14:15:57 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"187.80.4.18 - - [05/Mar/2023:14:15:51 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [05/Mar/2023:14:15:52 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [05/Mar/2023:14:15:53 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [05/Mar/2023:14:15:54 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"},"full_log":"141.98.81.37 - - [04/Mar/2023:03:37:57 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 6.0.1; SGP771 Build/32.2.A.0.253; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"134.87.21.47","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"134.87.21.47 - - [05/Mar/2023:04:27:38 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/shopdb/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"141.98.81.37 - - [05/Mar/2023:17:54:10 +0000] \"GET /shopdb/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"},"full_log":"187.80.4.18 - - [05/Mar/2023:02:29:48 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"54.10.24.5","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"54.10.24.5 - - [06/Mar/2023:12:36:45 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"187.80.4.18","id":"404","url":"/sql/phpMyAdmin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"187.80.4.18 - - [05/Mar/2023:21:43:09 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"","previous_output":"187.80.4.18 - - [05/Mar/2023:21:43:03 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [05/Mar/2023:21:43:04 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [05/Mar/2023:21:43:05 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\"\n187.80.4.18 - - [05/Mar/2023:21:43:06 +0000] \"GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/54.0 Firefox/54.0\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"45.124.37.241 - - [07/Mar/2023:09:44:31 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/mysql/web/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"},"full_log":"141.98.81.37 - - [07/Mar/2023:21:27:40 +0000] \"GET /mysql/web/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/pma2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [06/Mar/2023:20:16:22 +0000] \"GET /pma2020/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"},"full_log":"45.75.196.15 - - [01/Mar/2023:16:48:06 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) FxiOS/7.5b3349 Mobile/14F89 Safari/603.2.4\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/db/phpMyAdmin-3/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"45.124.37.241 - - [06/Mar/2023:12:20:40 +0000] \"GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/phpmyadmin2020/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"45.75.196.15 - - [02/Mar/2023:11:10:45 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"","previous_output":"45.75.196.15 - - [02/Mar/2023:11:10:39 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [02/Mar/2023:11:10:40 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [02/Mar/2023:11:10:41 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\"\n45.75.196.15 - - [02/Mar/2023:11:10:42 +0000] \"GET /phpmyadmin2020/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.124.37.241","id":"404","url":"/administrator/admin/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"},"full_log":"45.124.37.241 - - [01/Mar/2023:15:14:09 +0000] \"GET /administrator/admin/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; XBOX_ONE_ED) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["6.5","11.4"],"description":"Web server 400 error code.","groups":["web","accesslog","attack"],"id":"31101","nist_800_53":["SA.11","SI.4"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"},"full_log":"141.98.81.37 - - [07/Mar/2023:16:09:44 +0000] \"GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1\" 404 219 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"141.98.81.37","id":"404","url":"\t/administrator/pma/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"},"full_log":"141.98.81.37 - - [04/Mar/2023:22:25:11 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"","previous_output":"141.98.81.37 - - [04/Mar/2023:22:25:05 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [04/Mar/2023:22:25:06 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [04/Mar/2023:22:25:07 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\"\n141.98.81.37 - - [04/Mar/2023:22:25:08 +0000] \"GET \t/administrator/pma/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"16.4.20.20","id":"404","url":"/remote/login?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"},"full_log":"16.4.20.20 - - [02/Mar/2023:18:55:47 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"","previous_output":"16.4.20.20 - - [02/Mar/2023:18:55:41 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:18:55:42 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:18:55:43 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\"\n16.4.20.20 - - [02/Mar/2023:18:55:44 +0000] \"GET /remote/login?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":10,"pci_dss":["6.5","11.4"],"description":"Multiple web server 400 error codes from same source ip.","groups":["web","accesslog","web_scan","recon"],"id":"31151","nist_800_53":["SA.11","SI.4"],"frequency":14,"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"45.75.196.15","id":"404","url":"/sql/phpmyadmin2/index.php?lang=en"},"location":"/var/log/httpd/access_log","input":{"type":"log"},"GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"},"full_log":"45.75.196.15 - - [03/Mar/2023:14:29:07 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"","previous_output":"45.75.196.15 - - [03/Mar/2023:14:29:01 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:14:29:02 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:14:29:03 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\"\n45.75.196.15 - - [03/Mar/2023:14:29:04 +0000] \"GET /sql/phpmyadmin2/index.php?lang=en HTTP/1.1\" 404 222 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1\""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2630","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3260","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5068","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"651","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1972","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4089","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"863","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5183","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"173","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2126","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5532","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"427","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"845","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5010","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"351","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5947","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"17","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5121","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3947","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1773","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3630","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1981","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2888","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3605","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2497","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2318","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4429","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4997","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4194","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5017","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"366","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3878","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5114","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"234","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2577","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5738","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"471","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3349","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"119","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3604","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4377","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1816","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"434","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5827","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1120","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2101","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3149","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3576","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5497","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3958","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3513","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1517","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"69","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1005","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"196","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4919","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"365","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5765","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1997","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2402","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4333","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3286","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3969","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1271","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5107","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4200","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"204","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2345","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1646","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4133","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1703","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2660","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2338","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2235","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1192","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3723","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3488","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1354","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1583","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4303","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"148","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2126","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2855","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4317","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1855","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4411","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5544","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"883","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2043","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5170","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3792","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"220","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3963","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2239","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"849","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3126","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2850","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1184","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3327","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1083","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5049","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5790","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4942","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1625","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3111","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4583","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1751","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3365","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5472","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5905","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5690","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3679","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5807","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"655","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"987","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2309","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5888","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"397","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2898","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3585","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2838","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"869","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"870","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1484","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4263","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"631","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"581","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1373","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1584","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3588","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"560","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1473","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2186","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1256","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5400","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"58","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5055","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5648","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5974","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2746","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1710","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2282","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"360","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5113","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2388","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5737","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5426","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1771","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2882","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3901","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4856","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"276","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"869","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4690","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5198","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2789","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1700","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2449","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2340","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2028","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3108","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2932","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5079","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3991","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4275","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3835","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2231","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5048","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2268","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2986","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4746","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2776","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5696","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3665","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4717","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2363","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4595","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3969","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2360","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3761","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4431","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1363","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1618","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4554","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4968","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5218","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"687","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5947","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5154","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1802","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"874","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"722","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1764","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"343","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2391","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"419","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3342","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"425","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1418","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5537","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4109","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3219","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5139","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5676","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5846","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1649","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2734","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4164","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2179","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1978","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"170","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5008","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2365","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4542","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1383","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3294","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2026","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"795","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"356","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5455","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2852","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4110","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1026","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3627","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1680","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5880","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"643","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2487","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1387","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5280","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5959","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1905","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"957","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1117","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"576","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4954","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5516","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1812","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5100","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"583","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2634","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3063","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"495","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"772","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3424","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1965","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2425","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1351","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"428","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1746","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2193","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2515","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5207","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1244","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3245","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"250","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3770","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4125","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5046","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"542","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3661","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"449","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1743","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3102","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"69","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4154","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4030","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"590","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"55","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5912","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2815","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5748","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2259","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5450","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3257","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1677","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3920","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2584","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1024","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3479","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1639","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2747","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"554","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4679","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3701","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4186","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5375","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"65","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3516","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"765","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3181","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3321","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2594","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3692","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3521","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5055","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5024","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"881","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4948","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4887","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5980","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1558","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5703","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4091","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3577","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5747","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1095","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3904","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"923","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1703","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1518","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4291","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4145","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3670","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1917","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"717","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1570","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5166","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4519","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5449","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3753","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2662","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4374","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1062","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5865","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4088","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4886","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4818","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3776","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3640","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2617","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5904","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2940","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3864","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5439","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5171","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"303","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4534","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5788","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3725","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2274","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3261","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4620","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4788","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5625","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"545","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5212","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2674","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"191","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1180","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"878","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3525","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2857","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1635","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"831","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4791","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5154","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2767","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4353","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2345","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5964","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3744","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4051","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5442","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1980","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2286","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5956","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1323","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5128","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2291","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1683","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3648","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3213","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5060","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2840","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4755","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1379","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4042","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2674","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2324","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1043","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5922","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"190","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3464","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"725","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"28","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5507","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3912","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3080","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4464","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"282","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3446","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3324","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3851","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1435","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2035","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"902","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2264","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1532","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"347","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2342","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4577","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1072","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3470","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2550","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3520","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3963","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3925","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4778","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1405","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5075","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2581","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3877","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5656","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2473","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"473","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"570","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"350","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4200","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4457","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2879","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2934","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3024","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3595","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"884","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2645","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3641","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3376","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4085","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3473","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2623","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4690","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5557","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2591","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2863","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4681","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3814","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3267","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4863","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3481","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1557","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3839","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2742","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2567","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5416","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1469","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2535","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5902","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4854","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3271","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5125","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3169","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5286","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4208","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2753","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4717","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"480","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4452","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5281","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3891","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"386","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5832","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1767","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1026","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3532","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"600","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5014","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2818","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3965","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1545","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5909","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4637","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1861","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5654","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1474","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2360","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3447","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5853","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"591","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4528","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4689","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"453","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"569","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1199","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1726","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1176","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5399","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3019","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1869","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3029","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5830","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1456","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1879","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2831","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2207","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"71","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4013","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4273","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"193","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5725","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2981","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"980","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"880","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1874","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4742","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1451","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1975","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2806","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3678","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5871","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1577","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3285","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"791","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5993","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3765","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3995","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5347","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3450","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4933","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3097","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4218","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3266","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2532","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3637","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3477","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3906","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"531","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5692","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3899","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3860","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"980","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1346","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5491","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3533","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5795","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3706","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"242","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4612","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4375","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"843","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1532","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"315","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1417","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4137","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4883","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5668","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3072","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4109","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1831","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"52","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3453","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5174","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2574","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2435","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1698","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"912","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4387","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4656","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5806","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1427","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1662","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3016","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5040","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2835","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1206","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2330","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5362","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1571","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2448","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2705","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"670","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4715","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4118","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1359","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4880","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5719","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"391","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"488","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3001","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"620","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5328","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"120","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5253","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1174","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"62","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"907","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1417","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5373","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4678","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2794","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2272","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4900","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4351","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4311","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"337","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"344","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3709","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5461","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1894","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2401","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"981","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5053","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1237","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2912","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2511","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2436","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5483","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"912","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2632","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5440","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3829","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"681","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1353","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5868","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1185","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2068","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3729","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2662","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3758","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2935","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4075","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"293","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"834","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3064","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3052","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3834","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4378","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"748","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2177","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5907","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4041","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3878","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"237","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"490","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2249","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1679","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1201","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4442","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5618","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2654","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1828","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3125","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2392","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3044","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2077","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1487","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"533","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3179","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3862","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3184","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1648","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4753","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2418","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"668","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3042","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5594","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2973","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2070","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5692","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2371","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3784","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"754","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4130","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1115","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1381","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3851","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1052","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2623","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1788","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2662","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"711","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"772","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2047","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3864","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4219","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"707","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5470","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"658","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2877","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1093","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2909","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4508","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"268","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4756","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5233","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"205","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1737","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5664","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2246","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4539","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1477","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1051","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3591","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2111","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"276","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5467","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4507","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4663","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"174","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1334","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2990","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5492","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3619","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"176","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"378","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3064","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4203","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1512","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2131","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2383","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5379","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4501","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"324","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3675","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3629","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1802","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2745","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"533","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5445","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5675","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5805","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5828","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5718","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2803","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1319","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"404","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"634","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2927","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5186","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3263","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4613","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4852","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5222","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2862","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3705","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1712","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3440","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1592","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4315","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"923","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5957","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"485","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4511","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5112","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"493","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2643","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3639","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3779","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"598","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4308","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3822","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"486","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1674","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2708","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4243","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5657","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3428","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4590","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3538","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3784","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1506","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5889","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3009","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"616","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2861","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4690","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4978","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5888","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4352","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2849","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5616","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5559","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3806","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1460","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"792","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3081","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5656","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4968","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3024","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5290","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4237","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"765","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2765","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3872","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1768","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3247","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5286","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4641","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3781","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4723","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5277","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"915","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4240","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1154","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5356","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1960","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5711","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1486","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5640","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3239","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2731","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"48","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4684","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4474","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1644","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"944","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4094","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1603","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5394","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5659","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3696","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2692","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2120","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"195","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"150","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2878","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"730","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5913","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1326","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3686","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2552","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5349","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3536","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5446","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2453","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1945","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5599","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"788","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3047","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4134","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3878","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3756","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5640","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1172","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4949","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4385","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1593","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2840","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4242","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4699","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"794","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"400","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2178","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"393","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"883","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4704","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2033","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5546","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"158","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1790","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4208","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"583","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1219","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5508","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3180","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3681","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2874","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1471","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2050","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4440","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4661","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5491","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2947","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2440","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5912","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5843","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2674","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"767","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2131","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3691","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4557","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4707","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4153","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"641","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4086","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2778","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1558","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3646","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2550","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"98","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4332","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2878","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5126","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4685","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3155","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5948","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"578","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5145","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5749","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"688","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"554","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4024","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1380","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4579","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4870","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1384","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3535","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"633","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2068","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"596","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2085","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4119","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"304","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"485","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"465","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1235","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5713","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3798","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1089","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4257","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5664","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2607","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2555","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"401","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"959","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1816","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1740","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3191","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2691","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3568","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"764","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3287","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"55","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1982","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5165","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1850","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"373","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4495","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3231","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2322","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3949","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5084","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3901","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1782","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4291","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4012","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5772","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":9,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4661","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"643","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3113","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2462","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4024","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4707","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5184","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4885","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1535","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"352","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4033","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5970","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3587","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4441","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5600","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2545","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3490","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2680","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4095","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1786","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4655","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2870","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1117","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":15,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3084","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5584","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5752","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"908","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1919","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"3660","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2717","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1497","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":4,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"387","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5751","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"762","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2897","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1455","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":20,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4040","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4281","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":18,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2798","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5852","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2925","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2602","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5874","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":11,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4855","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":2,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5464","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1413","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4162","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":17,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5558","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2218","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":13,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4938","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":16,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2928","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":1,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"5540","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":8,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4672","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":6,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1056","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"1517","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":3,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"796","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":12,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"2706","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":7,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"67","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":10,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4232","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":19,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_02","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_02: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4801","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_04","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_04: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"4396","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":5,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_03","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_03: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Windows: Service startup type was changed.","id":"58","mail":false,"groups":["windows","windows","policy_changed"],"firedtimes":14,"pci":["10.6"],"hipaa":["164.312.b"],"gdpr":["IV_35.7.d"],"nist_800_53":["AU.6"],"info":"This does not appear to be logged on Windows 2000."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":18145,"predecoder":{"program_name":"WinEvtLog","timestamp":"2020 Apr 17 05:59:05"},"decoder":{"parent":"windows","name":"windows"},"data":{"extra_data":"Service Control Manager","dstuser":"SYSTEM","system_name":"Win_Server_01","id":"7040","type":"type","status":"INFORMATION"},"location":"WinEvtLog","input":{"type":"log"},"full_log":"2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: Win_Server_01: Background Intelligent Transfer Service auto start demand start BITS ","fields":{"timestamp":"dateToChange"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T14:15:06.014+0000","org":"Organization10","created_at":"2023-03-03T14:15:06.014+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User4","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T20:31:51.273+0000","org":"Organization4","created_at":"2023-03-04T20:31:51.273+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T19:12:27.847+0000","visibility":"private","org":"Organization7","repo":"Organization7/Repo3","created_at":"2023-03-06T19:12:27.847+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T06:24:55.489+0000","org":"Organization1","created_at":"2023-03-07T06:24:55.489+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User8","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T01:10:43.731+0000","org":"Organization10","repo":"Organization10/Repo4","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo1","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T21:29:44.651+0000","org":"Organization1","created_at":"2023-03-04T21:29:44.651+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User10","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T05:34:58.652+0000","org":"Organization8","hook_id":"303999727","name":"webhook","created_at":"2023-03-02T05:34:58.652+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T08:08:13.849+0000","org":"Organization5","repo":"Organization5/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo4","repository_public":"false","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-08T09:48:35.485+0000","org":"Organization2","created_at":"2023-03-08T09:48:35.485+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-01T23:04:06.219+0000","org":"Organization1","created_at":"2023-03-01T23:04:06.219+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User10","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T19:17:53.883+0000","org":"Organization5","repo":"Organization5/Repo8","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo6","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T10:06:56.912+0000","org":"Organization10","created_at":"2023-03-04T10:06:56.912+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User6","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T02:10:58.384+0000","org":"Organization2","created_at":"2023-03-02T02:10:58.384+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T17:38:48.650+0000","org":"Organization6","created_at":"2023-03-07T17:38:48.650+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User4","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-03T20:54:54.618+0000","visibility":"internal","org":"Organization6","created_at":"2023-03-03T20:54:54.618+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-01T21:41:04.854+0000","org":"Organization2","created_at":"2023-03-01T21:41:04.854+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T02:11:54.027+0000","org":"Organization1","repo":"Organization1/Repo9","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo9","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T02:58:47.938+0000","org":"Organization4","repo":"Organization4/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo5","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T00:12:14.126+0000","org":"Organization10","repo":"Organization10/Repo2","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo1","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-06T09:57:54.451+0000","org":"Organization4","created_at":"2023-03-06T09:57:54.451+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User4","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T04:51:30.506+0000","org":"Organization2","created_at":"2023-03-02T04:51:30.506+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T15:52:15.601+0000","org":"Organization9","created_at":"2023-03-07T15:52:15.601+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User5","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T18:06:50.516+0000","org":"Organization2","created_at":"2023-03-03T18:06:50.516+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User5","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T11:19:08.482+0000","org":"Organization3","created_at":"2023-03-05T11:19:08.482+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User4","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T15:57:32.337+0000","org":"Organization3","created_at":"2023-03-06T15:57:32.337+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User7","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T05:33:22.706+0000","org":"Organization10","created_at":"2023-03-04T05:33:22.706+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T12:08:57.061+0000","visibility":"private","org":"Organization8","repo":"Organization8/Repo2","created_at":"2023-03-03T12:08:57.061+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T21:46:20.443+0000","org":"Organization3","created_at":"2023-03-02T21:46:20.443+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User6","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T02:05:55.825+0000","visibility":"public","org":"Organization9","repo":"Organization9/Repo9","created_at":"2023-03-03T02:05:55.825+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T19:08:03.925+0000","visibility":"public","org":"Organization1","repo":"Organization1/Repo9","created_at":"2023-03-07T19:08:03.925+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T22:57:07.021+0000","org":"Organization9","created_at":"2023-03-05T22:57:07.021+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T09:53:01.178+0000","org":"Organization1","repo":"Organization1/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo8","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T19:50:32.417+0000","org":"Organization8","repo":"Organization8/Repo6","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo10","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-08T09:16:00.689+0000","org":"Organization7","repo":"Organization7/Repo7","created_at":"2023-03-08T09:16:00.689+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User8","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T16:34:58.610+0000","org":"Organization6","repo":"Organization6/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo1","repository_public":"false","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T23:37:15.186+0000","org":"Organization3","created_at":"2023-03-02T23:37:15.186+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-01T18:36:44.183+0000","org":"Organization10","created_at":"2023-03-01T18:36:44.183+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User8","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T20:33:38.488+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo10","created_at":"2023-03-05T20:33:38.488+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T00:33:16.531+0000","org":"Organization9","created_at":"2023-03-02T00:33:16.531+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User8","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T04:22:00.107+0000","visibility":"public","org":"Organization6","repo":"Organization6/Repo1","created_at":"2023-03-02T04:22:00.107+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-01T18:17:41.720+0000","org":"Organization7","created_at":"2023-03-01T18:17:41.720+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User6","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-04T17:04:43.080+0000","org":"Organization5","created_at":"2023-03-04T17:04:43.080+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User6","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T17:19:15.165+0000","org":"Organization9","created_at":"2023-03-01T17:19:15.165+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-01T15:28:31.237+0000","org":"Organization2","created_at":"2023-03-01T15:28:31.237+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User1","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-01T21:57:51.191+0000","org":"Organization5","created_at":"2023-03-01T21:57:51.191+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T05:37:42.980+0000","org":"Organization3","hook_id":"303999727","name":"webhook","created_at":"2023-03-03T05:37:42.980+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T16:35:47.093+0000","org":"Organization7","created_at":"2023-03-04T16:35:47.093+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User4","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T22:17:49.885+0000","org":"Organization8","created_at":"2023-03-07T22:17:49.885+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User3","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T20:23:47.168+0000","org":"Organization10","created_at":"2023-03-04T20:23:47.168+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User5","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T22:52:55.428+0000","org":"Organization9","created_at":"2023-03-06T22:52:55.428+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T17:58:31.835+0000","org":"Organization4","created_at":"2023-03-04T17:58:31.835+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T07:47:25.792+0000","org":"Organization1","created_at":"2023-03-02T07:47:25.792+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T15:40:23.319+0000","org":"Organization7","created_at":"2023-03-03T15:40:23.319+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T18:16:47.997+0000","org":"Organization2","created_at":"2023-03-02T18:16:47.997+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T15:30:14.865+0000","org":"Organization10","created_at":"2023-03-04T15:30:14.865+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User2","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T14:29:11.132+0000","org":"Organization5","created_at":"2023-03-07T14:29:11.132+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User10","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T23:20:55.046+0000","org":"Organization10","created_at":"2023-03-07T23:20:55.046+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User1","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-05T06:55:30.856+0000","org":"Organization3","created_at":"2023-03-05T06:55:30.856+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T09:12:31.186+0000","org":"Organization3","created_at":"2023-03-06T09:12:31.186+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User6","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T09:20:00.905+0000","org":"Organization5","repo":"Organization5/Repo9","created_at":"2023-03-02T09:20:00.905+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User1","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T01:32:21.560+0000","org":"Organization6","created_at":"2023-03-07T01:32:21.560+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User6","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T03:08:16.567+0000","org":"Organization10","created_at":"2023-03-06T03:08:16.567+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization7","created_at":"2023-03-06T12:45:04.967+0000","active":"true","actor":"User7","@timestamp":"2023-03-06T12:45:04.967+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T23:27:24.072+0000","org":"Organization6","created_at":"2023-03-07T23:27:24.072+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User1","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T06:56:13.759+0000","org":"Organization8","created_at":"2023-03-05T06:56:13.759+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User1","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-02T12:19:03.112+0000","org":"Organization10","created_at":"2023-03-02T12:19:03.112+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User3","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-01T23:30:33.351+0000","org":"Organization3","created_at":"2023-03-01T23:30:33.351+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-01T17:55:40.353+0000","visibility":"private_internal","org":"Organization4","created_at":"2023-03-01T17:55:40.353+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T21:27:33.856+0000","org":"Organization8","created_at":"2023-03-05T21:27:33.856+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User6","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T20:33:40.602+0000","org":"Organization6","created_at":"2023-03-06T20:33:40.602+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T00:15:36.815+0000","org":"Organization6","created_at":"2023-03-02T00:15:36.815+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User3","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T10:47:11.563+0000","org":"Organization7","created_at":"2023-03-07T10:47:11.563+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T07:39:48.133+0000","org":"Organization1","repo":"Organization1/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo7","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T09:36:22.010+0000","org":"Organization7","created_at":"2023-03-06T09:36:22.010+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T18:14:31.547+0000","org":"Organization4","created_at":"2023-03-03T18:14:31.547+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User2","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T13:56:18.973+0000","org":"Organization8","created_at":"2023-03-04T13:56:18.973+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-06T23:04:19.841+0000","org":"Organization4","created_at":"2023-03-06T23:04:19.841+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User6","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T22:28:18.319+0000","org":"Organization8","created_at":"2023-03-07T22:28:18.319+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User1","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T23:36:49.689+0000","org":"Organization7","repo":"Organization7/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo6","repository_public":"true","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T01:42:45.544+0000","org":"Organization7","created_at":"2023-03-02T01:42:45.544+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User8","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T18:53:44.076+0000","org":"Organization1","repo":"Organization1/Repo10","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo6","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T15:20:04.894+0000","org":"Organization8","created_at":"2023-03-04T15:20:04.894+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T04:22:00.251+0000","org":"Organization4","created_at":"2023-03-03T04:22:00.251+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User3","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T06:17:31.429+0000","org":"Organization9","created_at":"2023-03-02T06:17:31.429+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T20:44:08.871+0000","org":"Organization6","repo":"Organization6/Repo2","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo6","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T05:31:02.795+0000","org":"Organization10","created_at":"2023-03-02T05:31:02.795+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T16:46:24.273+0000","visibility":"private_internal","org":"Organization3","created_at":"2023-03-07T16:46:24.273+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T07:44:36.697+0000","org":"Organization10","repo":"Organization10/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo1","repository_public":"false","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T12:06:41.908+0000","org":"Organization5","created_at":"2023-03-03T12:06:41.908+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T12:50:49.054+0000","org":"Organization2","created_at":"2023-03-06T12:50:49.054+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User2","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T22:54:36.678+0000","org":"Organization8","repo":"Organization8/Repo3","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo3","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T12:29:17.446+0000","org":"Organization3","repo":"Organization3/Repo10","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T05:37:10.415+0000","org":"Organization5","created_at":"2023-03-07T05:37:10.415+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T07:00:26.402+0000","org":"Organization6","created_at":"2023-03-02T07:00:26.402+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T09:03:54.386+0000","org":"Organization4","created_at":"2023-03-06T09:03:54.386+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User2","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T13:50:37.695+0000","org":"Organization5","repo":"Organization5/Repo1","created_at":"2023-03-07T13:50:37.695+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User7","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T17:21:26.875+0000","org":"Organization7","created_at":"2023-03-06T17:21:26.875+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User2","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T15:27:02.860+0000","org":"Organization5","created_at":"2023-03-07T15:27:02.860+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User2","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-08T06:13:00.181+0000","org":"Organization10","repo":"Organization10/Repo10","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo6","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T14:59:20.344+0000","org":"Organization1","created_at":"2023-03-02T14:59:20.344+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T23:36:42.698+0000","org":"Organization6","created_at":"2023-03-04T23:36:42.698+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User1","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T00:06:51.870+0000","visibility":"public","org":"Organization7","repo":"Organization7/Repo5","created_at":"2023-03-06T00:06:51.870+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T00:02:07.264+0000","org":"Organization7","created_at":"2023-03-03T00:02:07.264+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User9","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T13:41:36.432+0000","org":"Organization5","created_at":"2023-03-04T13:41:36.432+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User3","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T12:10:43.680+0000","org":"Organization6","created_at":"2023-03-02T12:10:43.680+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User8","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T05:00:52.688+0000","org":"Organization7","created_at":"2023-03-06T05:00:52.688+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-03T10:53:52.125+0000","org":"Organization6","created_at":"2023-03-03T10:53:52.125+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User9","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T20:16:21.302+0000","org":"Organization7","created_at":"2023-03-06T20:16:21.302+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User8","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T17:39:42.956+0000","org":"Organization6","repo":"Organization6/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo2","repository_public":"false","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T14:27:10.630+0000","org":"Organization1","created_at":"2023-03-03T14:27:10.630+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User4","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-05T17:22:07.965+0000","org":"Organization4","hook_id":"303999727","name":"webhook","created_at":"2023-03-05T17:22:07.965+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-05T14:58:52.728+0000","org":"Organization6","created_at":"2023-03-05T14:58:52.728+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T19:06:51.952+0000","org":"Organization10","repo":"Organization10/Repo1","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo10","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T22:22:39.309+0000","org":"Organization3","created_at":"2023-03-02T22:22:39.309+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User1","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T14:55:59.383+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo2","created_at":"2023-03-06T14:55:59.383+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-07T23:12:29.795+0000","org":"Organization1","created_at":"2023-03-07T23:12:29.795+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User6","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T02:50:16.306+0000","org":"Organization6","created_at":"2023-03-07T02:50:16.306+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-08T01:48:29.784+0000","org":"Organization3","created_at":"2023-03-08T01:48:29.784+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User5","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T17:17:43.981+0000","org":"Organization3","created_at":"2023-03-02T17:17:43.981+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T19:03:40.039+0000","org":"Organization7","created_at":"2023-03-04T19:03:40.039+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User3","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-08T08:21:58.483+0000","org":"Organization9","created_at":"2023-03-08T08:21:58.483+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T13:01:32.757+0000","org":"Organization7","created_at":"2023-03-03T13:01:32.757+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User6","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-08T03:50:50.684+0000","org":"Organization3","created_at":"2023-03-08T03:50:50.684+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User5","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T08:24:55.317+0000","org":"Organization9","created_at":"2023-03-05T08:24:55.317+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User4","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T20:18:29.694+0000","org":"Organization10","created_at":"2023-03-06T20:18:29.694+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User5","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T06:49:46.243+0000","org":"Organization5","created_at":"2023-03-06T06:49:46.243+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T09:25:38.720+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo7","created_at":"2023-03-06T09:25:38.720+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-05T07:26:16.013+0000","org":"Organization10","created_at":"2023-03-05T07:26:16.013+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T01:06:38.151+0000","org":"Organization7","created_at":"2023-03-06T01:06:38.151+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T01:05:40.911+0000","org":"Organization3","created_at":"2023-03-07T01:05:40.911+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T20:10:25.502+0000","org":"Organization3","created_at":"2023-03-04T20:10:25.502+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-04T23:45:03.311+0000","org":"Organization8","hook_id":"303999727","name":"webhook","created_at":"2023-03-04T23:45:03.311+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T13:53:15.978+0000","org":"Organization7","created_at":"2023-03-06T13:53:15.978+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization8","created_at":"2023-03-04T21:16:41.920+0000","active":"true","actor":"User9","@timestamp":"2023-03-04T21:16:41.920+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T17:01:48.182+0000","org":"Organization6","created_at":"2023-03-03T17:01:48.182+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T14:15:17.032+0000","org":"Organization5","repo":"Organization5/Repo1","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo9","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-01T14:50:18.004+0000","org":"Organization9","created_at":"2023-03-01T14:50:18.004+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User2","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T01:45:40.604+0000","org":"Organization10","created_at":"2023-03-05T01:45:40.604+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User2","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T17:29:35.924+0000","visibility":"private","org":"Organization6","repo":"Organization6/Repo9","created_at":"2023-03-06T17:29:35.924+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T07:12:00.215+0000","org":"Organization1","created_at":"2023-03-03T07:12:00.215+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User6","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T04:06:42.998+0000","org":"Organization4","created_at":"2023-03-07T04:06:42.998+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User5","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T20:56:09.781+0000","org":"Organization8","created_at":"2023-03-03T20:56:09.781+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T05:07:29.441+0000","org":"Organization5","repo":"Organization5/Repo1","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo6","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T12:06:13.702+0000","org":"Organization6","repo":"Organization6/Repo3","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo6","repository_public":"false","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T13:42:50.607+0000","org":"Organization7","repo":"Organization7/Repo2","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo9","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T12:34:00.452+0000","org":"Organization8","created_at":"2023-03-03T12:34:00.452+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T22:14:12.901+0000","visibility":"public","org":"Organization5","repo":"Organization5/Repo4","created_at":"2023-03-03T22:14:12.901+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T08:51:07.750+0000","org":"Organization10","created_at":"2023-03-02T08:51:07.750+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User6","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T07:54:37.136+0000","org":"Organization9","repo":"Organization9/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo2","repository_public":"false","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T07:26:50.130+0000","org":"Organization3","created_at":"2023-03-04T07:26:50.130+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User5","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-08T06:59:40.231+0000","org":"Organization7","created_at":"2023-03-08T06:59:40.231+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T15:49:46.488+0000","org":"Organization1","repo":"Organization1/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo10","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T06:07:27.928+0000","org":"Organization3","repo":"Organization3/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo4","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T16:22:23.983+0000","org":"Organization8","created_at":"2023-03-02T16:22:23.983+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User9","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T11:18:03.575+0000","org":"Organization8","created_at":"2023-03-03T11:18:03.575+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-08T09:27:46.929+0000","org":"Organization8","repo":"Organization8/Repo9","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo5","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T07:32:53.909+0000","org":"Organization8","repo":"Organization8/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo5","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-01T20:43:12.399+0000","org":"Organization5","created_at":"2023-03-01T20:43:12.399+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User9","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T21:01:29.572+0000","org":"Organization8","created_at":"2023-03-03T21:01:29.572+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T23:01:10.184+0000","org":"Organization8","repo":"Organization8/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo4","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T16:17:28.469+0000","visibility":"internal","org":"Organization5","created_at":"2023-03-07T16:17:28.469+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-08T05:33:26.705+0000","org":"Organization3","created_at":"2023-03-08T05:33:26.705+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User7","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T15:34:46.064+0000","visibility":"private","org":"Organization6","repo":"Organization6/Repo8","created_at":"2023-03-06T15:34:46.064+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-08T00:00:39.942+0000","org":"Organization3","created_at":"2023-03-08T00:00:39.942+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User8","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T07:13:46.481+0000","org":"Organization8","created_at":"2023-03-04T07:13:46.481+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T02:58:38.158+0000","visibility":"private","org":"Organization8","repo":"Organization8/Repo4","created_at":"2023-03-04T02:58:38.158+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T01:59:08.614+0000","org":"Organization4","created_at":"2023-03-05T01:59:08.614+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T16:56:48.633+0000","org":"Organization8","repo":"Organization8/Repo4","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo4","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T09:54:13.934+0000","org":"Organization8","created_at":"2023-03-02T09:54:13.934+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T02:08:36.640+0000","org":"Organization5","created_at":"2023-03-07T02:08:36.640+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User3","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T08:44:25.985+0000","org":"Organization4","created_at":"2023-03-06T08:44:25.985+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-08T09:09:49.376+0000","org":"Organization5","repo":"Organization5/Repo6","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo4","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T14:36:56.099+0000","org":"Organization3","created_at":"2023-03-07T14:36:56.099+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User2","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T08:34:24.504+0000","org":"Organization6","created_at":"2023-03-05T08:34:24.504+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T18:38:58.628+0000","org":"Organization7","created_at":"2023-03-03T18:38:58.628+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T19:02:32.777+0000","org":"Organization9","created_at":"2023-03-05T19:02:32.777+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User3","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T18:31:30.285+0000","org":"Organization8","created_at":"2023-03-02T18:31:30.285+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User3","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T08:48:28.495+0000","org":"Organization1","repo":"Organization1/Repo1","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo6","repository_public":"true","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-01T16:13:21.318+0000","org":"Organization2","created_at":"2023-03-01T16:13:21.318+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User3","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T09:51:17.833+0000","org":"Organization1","repo":"Organization1/Repo6","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo5","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T19:15:56.380+0000","org":"Organization6","hook_id":"303999727","name":"webhook","created_at":"2023-03-05T19:15:56.380+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T07:08:51.863+0000","org":"Organization4","repo":"Organization4/Repo2","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo7","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T16:30:19.973+0000","org":"Organization6","created_at":"2023-03-02T16:30:19.973+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User7","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T05:40:31.018+0000","org":"Organization4","repo":"Organization4/Repo3","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo6","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T08:29:49.324+0000","org":"Organization8","created_at":"2023-03-07T08:29:49.324+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User9","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T21:31:36.902+0000","org":"Organization4","repo":"Organization4/Repo3","created_at":"2023-03-02T21:31:36.902+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T20:50:06.582+0000","visibility":"internal","org":"Organization2","created_at":"2023-03-03T20:50:06.582+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T21:37:45.770+0000","visibility":"private","org":"Organization4","repo":"Organization4/Repo6","created_at":"2023-03-07T21:37:45.770+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T23:59:03.944+0000","org":"Organization10","created_at":"2023-03-07T23:59:03.944+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User7","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T00:37:22.705+0000","org":"Organization2","repo":"Organization2/Repo7","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo8","repository_public":"true","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T21:30:00.272+0000","org":"Organization1","created_at":"2023-03-07T21:30:00.272+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User9","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T18:53:16.508+0000","org":"Organization9","created_at":"2023-03-02T18:53:16.508+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User9","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T23:44:09.099+0000","org":"Organization1","repo":"Organization1/Repo1","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo3","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T10:41:05.314+0000","visibility":"private_internal","org":"Organization3","created_at":"2023-03-03T10:41:05.314+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T08:57:25.505+0000","visibility":"private","org":"Organization4","repo":"Organization4/Repo6","created_at":"2023-03-06T08:57:25.505+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T04:03:34.848+0000","org":"Organization10","repo":"Organization10/Repo7","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo9","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T12:02:20.936+0000","org":"Organization5","created_at":"2023-03-05T12:02:20.936+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User1","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T21:29:41.183+0000","visibility":"public","org":"Organization9","repo":"Organization9/Repo10","created_at":"2023-03-03T21:29:41.183+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T00:22:07.246+0000","org":"Organization8","created_at":"2023-03-04T00:22:07.246+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T18:00:52.071+0000","org":"Organization5","created_at":"2023-03-05T18:00:52.071+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T17:40:25.296+0000","org":"Organization5","repo":"Organization5/Repo1","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo8","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T18:56:00.412+0000","org":"Organization2","created_at":"2023-03-03T18:56:00.412+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User5","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T14:55:34.511+0000","org":"Organization10","created_at":"2023-03-06T14:55:34.511+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User1","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-08T10:21:55.277+0000","org":"Organization1","repo":"Organization1/Repo6","created_at":"2023-03-08T10:21:55.277+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User3","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-08T02:05:52.540+0000","org":"Organization7","repo":"Organization7/Repo8","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T05:01:50.869+0000","org":"Organization3","repo":"Organization3/Repo1","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo9","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T05:46:36.327+0000","org":"Organization1","created_at":"2023-03-07T05:46:36.327+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T05:50:00.990+0000","org":"Organization4","created_at":"2023-03-07T05:50:00.990+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User3","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T16:42:21.196+0000","org":"Organization3","repo":"Organization3/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo5","repository_public":"false","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T07:38:55.081+0000","org":"Organization2","created_at":"2023-03-05T07:38:55.081+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User4","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T06:01:53.126+0000","visibility":"private","org":"Organization4","repo":"Organization4/Repo8","created_at":"2023-03-04T06:01:53.126+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-08T09:30:58.477+0000","org":"Organization9","repo":"Organization9/Repo1","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo1","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T20:16:00.743+0000","org":"Organization10","repo":"Organization10/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo2","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T00:29:52.890+0000","org":"Organization7","created_at":"2023-03-04T00:29:52.890+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T17:18:45.178+0000","org":"Organization6","repo":"Organization6/Repo9","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo9","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-08T07:06:05.206+0000","org":"Organization5","created_at":"2023-03-08T07:06:05.206+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T21:20:23.187+0000","org":"Organization4","created_at":"2023-03-02T21:20:23.187+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User10","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T13:16:21.036+0000","org":"Organization10","created_at":"2023-03-06T13:16:21.036+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T08:42:04.134+0000","visibility":"private","org":"Organization9","repo":"Organization9/Repo10","created_at":"2023-03-07T08:42:04.134+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T04:29:17.688+0000","org":"Organization2","created_at":"2023-03-04T04:29:17.688+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User10","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T09:53:13.670+0000","org":"Organization1","created_at":"2023-03-02T09:53:13.670+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User6","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T23:00:57.871+0000","visibility":"private","org":"Organization9","repo":"Organization9/Repo2","created_at":"2023-03-07T23:00:57.871+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-01T13:29:34.362+0000","org":"Organization3","created_at":"2023-03-01T13:29:34.362+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User9","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T14:10:48.650+0000","org":"Organization2","created_at":"2023-03-07T14:10:48.650+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User7","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-01T18:15:43.518+0000","org":"Organization4","created_at":"2023-03-01T18:15:43.518+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T23:34:21.435+0000","org":"Organization6","repo":"Organization6/Repo5","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo3","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T02:34:30.413+0000","org":"Organization8","repo":"Organization8/Repo6","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo2","repository_public":"true","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T15:59:29.882+0000","org":"Organization10","repo":"Organization10/Repo6","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo10","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T10:19:55.553+0000","org":"Organization10","repo":"Organization10/Repo5","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo5","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T07:32:06.022+0000","org":"Organization6","created_at":"2023-03-07T07:32:06.022+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User1","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T10:03:15.610+0000","org":"Organization7","created_at":"2023-03-04T10:03:15.610+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T17:35:03.429+0000","org":"Organization3","created_at":"2023-03-02T17:35:03.429+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T10:24:24.738+0000","org":"Organization3","created_at":"2023-03-02T10:24:24.738+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User4","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T22:22:45.312+0000","org":"Organization4","created_at":"2023-03-01T22:22:45.312+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T18:46:27.721+0000","org":"Organization4","created_at":"2023-03-07T18:46:27.721+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User8","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-04T22:35:31.158+0000","org":"Organization10","created_at":"2023-03-04T22:35:31.158+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User6","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T12:03:31.872+0000","visibility":"internal","org":"Organization7","created_at":"2023-03-04T12:03:31.872+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T03:01:43.397+0000","org":"Organization6","created_at":"2023-03-04T03:01:43.397+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T04:02:27.047+0000","org":"Organization2","repo":"Organization2/Repo2","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo4","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T22:32:21.531+0000","org":"Organization1","created_at":"2023-03-02T22:32:21.531+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User10","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T12:46:59.336+0000","org":"Organization8","created_at":"2023-03-03T12:46:59.336+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T14:38:14.044+0000","org":"Organization1","created_at":"2023-03-02T14:38:14.044+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User10","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T01:46:48.465+0000","org":"Organization2","repo":"Organization2/Repo2","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo8","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T10:31:51.810+0000","org":"Organization7","created_at":"2023-03-03T10:31:51.810+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T13:26:55.427+0000","org":"Organization9","created_at":"2023-03-06T13:26:55.427+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T10:18:55.464+0000","org":"Organization7","created_at":"2023-03-03T10:18:55.464+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User3","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T23:10:47.395+0000","org":"Organization6","repo":"Organization6/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo5","repository_public":"false","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T22:00:41.573+0000","org":"Organization10","repo":"Organization10/Repo10","created_at":"2023-03-07T22:00:41.573+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T23:39:35.493+0000","org":"Organization8","repo":"Organization8/Repo3","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo8","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T21:10:33.667+0000","org":"Organization7","repo":"Organization7/Repo6","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo7","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T12:59:38.028+0000","org":"Organization7","repo":"Organization7/Repo5","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo9","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T16:26:40.830+0000","org":"Organization5","created_at":"2023-03-03T16:26:40.830+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User8","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T21:46:49.134+0000","org":"Organization7","created_at":"2023-03-06T21:46:49.134+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T01:32:36.105+0000","org":"Organization5","created_at":"2023-03-07T01:32:36.105+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User10","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-05T02:03:52.723+0000","org":"Organization2","created_at":"2023-03-05T02:03:52.723+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T13:25:16.839+0000","org":"Organization10","repo":"Organization10/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo8","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T11:57:01.981+0000","org":"Organization6","created_at":"2023-03-05T11:57:01.981+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T13:34:34.944+0000","org":"Organization2","repo":"Organization2/Repo10","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo7","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T17:25:53.311+0000","org":"Organization6","created_at":"2023-03-04T17:25:53.311+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User8","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T19:56:08.784+0000","org":"Organization5","created_at":"2023-03-03T19:56:08.784+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User4","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T22:57:32.780+0000","org":"Organization4","created_at":"2023-03-02T22:57:32.780+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T04:16:15.376+0000","org":"Organization8","repo":"Organization8/Repo5","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo1","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T13:26:15.456+0000","org":"Organization9","created_at":"2023-03-06T13:26:15.456+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User10","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T07:23:03.305+0000","org":"Organization8","hook_id":"303999727","name":"webhook","created_at":"2023-03-02T07:23:03.305+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T10:08:09.886+0000","org":"Organization5","created_at":"2023-03-04T10:08:09.886+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T21:12:39.740+0000","org":"Organization2","created_at":"2023-03-04T21:12:39.740+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T07:27:55.087+0000","org":"Organization7","repo":"Organization7/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo8","repository_public":"false","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T11:58:33.428+0000","org":"Organization5","repo":"Organization5/Repo6","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo6","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T06:56:52.797+0000","org":"Organization10","repo":"Organization10/Repo6","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo3","repository_public":"false","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T02:34:49.088+0000","org":"Organization9","repo":"Organization9/Repo5","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo8","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-01T18:48:19.911+0000","org":"Organization10","created_at":"2023-03-01T18:48:19.911+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User8","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T19:10:51.512+0000","org":"Organization5","created_at":"2023-03-04T19:10:51.512+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User7","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T13:51:21.189+0000","org":"Organization4","created_at":"2023-03-02T13:51:21.189+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User10","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T18:52:20.375+0000","visibility":"private","org":"Organization4","repo":"Organization4/Repo6","created_at":"2023-03-04T18:52:20.375+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-01T16:42:10.335+0000","org":"Organization4","created_at":"2023-03-01T16:42:10.335+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T04:25:24.318+0000","org":"Organization6","created_at":"2023-03-05T04:25:24.318+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T17:04:57.450+0000","org":"Organization9","repo":"Organization9/Repo9","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo1","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T11:10:17.951+0000","org":"Organization10","created_at":"2023-03-06T11:10:17.951+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T11:23:39.143+0000","org":"Organization2","repo":"Organization2/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo7","repository_public":"false","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T02:13:00.206+0000","org":"Organization6","repo":"Organization6/Repo1","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo2","repository_public":"false","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-02T01:27:32.133+0000","org":"Organization10","created_at":"2023-03-02T01:27:32.133+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User4","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T08:41:40.423+0000","org":"Organization1","created_at":"2023-03-07T08:41:40.423+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T17:01:59.099+0000","org":"Organization9","created_at":"2023-03-06T17:01:59.099+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User5","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T20:49:25.584+0000","org":"Organization3","created_at":"2023-03-03T20:49:25.584+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User8","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T17:08:50.018+0000","org":"Organization6","created_at":"2023-03-03T17:08:50.018+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User3","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T11:23:44.772+0000","org":"Organization8","created_at":"2023-03-05T11:23:44.772+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T15:05:09.389+0000","org":"Organization1","repo":"Organization1/Repo4","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo3","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T11:09:21.827+0000","org":"Organization8","created_at":"2023-03-06T11:09:21.827+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-06T21:52:06.310+0000","org":"Organization8","created_at":"2023-03-06T21:52:06.310+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User1","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-01T19:20:14.854+0000","org":"Organization9","created_at":"2023-03-01T19:20:14.854+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T02:25:42.967+0000","org":"Organization8","created_at":"2023-03-02T02:25:42.967+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T22:52:07.789+0000","org":"Organization1","created_at":"2023-03-03T22:52:07.789+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T15:59:42.633+0000","org":"Organization1","created_at":"2023-03-05T15:59:42.633+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User7","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-04T14:47:51.769+0000","org":"Organization4","created_at":"2023-03-04T14:47:51.769+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T03:58:14.906+0000","visibility":"public","org":"Organization9","repo":"Organization9/Repo4","created_at":"2023-03-06T03:58:14.906+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T07:08:04.460+0000","visibility":"private","org":"Organization5","repo":"Organization5/Repo8","created_at":"2023-03-06T07:08:04.460+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T23:12:48.826+0000","org":"Organization1","created_at":"2023-03-04T23:12:48.826+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User1","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T09:01:51.446+0000","org":"Organization5","created_at":"2023-03-02T09:01:51.446+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User10","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T07:02:19.485+0000","org":"Organization7","repo":"Organization7/Repo8","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo1","repository_public":"true","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T16:11:20.051+0000","org":"Organization9","created_at":"2023-03-06T16:11:20.051+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T20:33:00.586+0000","org":"Organization7","repo":"Organization7/Repo5","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-01T20:50:29.629+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo9","created_at":"2023-03-01T20:50:29.629+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T17:47:54.752+0000","org":"Organization8","repo":"Organization8/Repo6","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo3","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-07T05:48:31.182+0000","org":"Organization9","created_at":"2023-03-07T05:48:31.182+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User2","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-01T13:42:32.018+0000","org":"Organization5","created_at":"2023-03-01T13:42:32.018+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization4","created_at":"2023-03-07T02:12:03.475+0000","active":"true","actor":"User4","@timestamp":"2023-03-07T02:12:03.475+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T18:03:01.760+0000","org":"Organization4","created_at":"2023-03-02T18:03:01.760+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User10","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-08T03:25:17.278+0000","org":"Organization9","repo":"Organization9/Repo6","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T04:49:53.928+0000","org":"Organization2","created_at":"2023-03-06T04:49:53.928+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User4","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T04:27:22.597+0000","org":"Organization1","created_at":"2023-03-04T04:27:22.597+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User6","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T00:27:11.837+0000","org":"Organization6","repo":"Organization6/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo10","repository_public":"false","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T05:04:06.857+0000","org":"Organization9","created_at":"2023-03-07T05:04:06.857+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-01T22:07:08.448+0000","org":"Organization7","created_at":"2023-03-01T22:07:08.448+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User4","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T18:58:58.256+0000","org":"Organization7","repo":"Organization7/Repo1","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo9","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T08:00:30.164+0000","org":"Organization10","created_at":"2023-03-06T08:00:30.164+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-08T06:31:26.809+0000","org":"Organization3","created_at":"2023-03-08T06:31:26.809+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T08:57:52.141+0000","org":"Organization10","created_at":"2023-03-07T08:57:52.141+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User4","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T21:37:25.616+0000","org":"Organization7","repo":"Organization7/Repo6","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T14:23:56.705+0000","org":"Organization2","created_at":"2023-03-05T14:23:56.705+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User5","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T06:16:36.037+0000","org":"Organization9","repo":"Organization9/Repo1","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo4","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T14:24:50.070+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo4","created_at":"2023-03-04T14:24:50.070+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T16:28:44.401+0000","org":"Organization7","repo":"Organization7/Repo7","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo6","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-01T17:51:05.128+0000","org":"Organization7","created_at":"2023-03-01T17:51:05.128+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T22:51:29.406+0000","org":"Organization1","repo":"Organization1/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo5","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T13:02:29.936+0000","org":"Organization10","created_at":"2023-03-04T13:02:29.936+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User3","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T03:20:00.398+0000","org":"Organization8","created_at":"2023-03-03T03:20:00.398+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User7","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T10:54:00.670+0000","org":"Organization8","created_at":"2023-03-03T10:54:00.670+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User5","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T20:42:20.779+0000","org":"Organization5","repo":"Organization5/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo6","repository_public":"false","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T20:51:41.118+0000","org":"Organization2","created_at":"2023-03-03T20:51:41.118+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User5","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T19:04:37.522+0000","org":"Organization1","repo":"Organization1/Repo2","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo5","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T11:09:41.674+0000","org":"Organization1","created_at":"2023-03-04T11:09:41.674+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User10","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T13:03:45.825+0000","org":"Organization8","created_at":"2023-03-05T13:03:45.825+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T00:03:17.328+0000","org":"Organization8","created_at":"2023-03-02T00:03:17.328+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T14:46:55.186+0000","visibility":"private","org":"Organization7","repo":"Organization7/Repo3","created_at":"2023-03-06T14:46:55.186+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-04T04:38:53.745+0000","org":"Organization3","created_at":"2023-03-04T04:38:53.745+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T22:31:03.490+0000","org":"Organization8","created_at":"2023-03-02T22:31:03.490+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User10","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-08T07:28:49.884+0000","org":"Organization3","created_at":"2023-03-08T07:28:49.884+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User5","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T00:30:48.171+0000","visibility":"internal","org":"Organization4","created_at":"2023-03-06T00:30:48.171+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T05:39:25.107+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo7","created_at":"2023-03-06T05:39:25.107+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T18:07:03.423+0000","visibility":"internal","org":"Organization5","created_at":"2023-03-07T18:07:03.423+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T23:46:46.319+0000","org":"Organization3","repo":"Organization3/Repo8","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo9","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T10:04:34.872+0000","org":"Organization3","created_at":"2023-03-07T10:04:34.872+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T06:51:41.217+0000","org":"Organization6","created_at":"2023-03-05T06:51:41.217+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T07:31:22.999+0000","org":"Organization8","created_at":"2023-03-02T07:31:22.999+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User9","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T04:55:03.030+0000","org":"Organization6","created_at":"2023-03-02T04:55:03.030+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User4","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T12:46:24.834+0000","org":"Organization5","repo":"Organization5/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo5","repository_public":"true","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-08T11:34:35.586+0000","org":"Organization1","created_at":"2023-03-08T11:34:35.586+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User2","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T08:50:00.944+0000","org":"Organization10","repo":"Organization10/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo2","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-04T12:53:49.618+0000","org":"Organization3","created_at":"2023-03-04T12:53:49.618+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User1","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T07:08:07.806+0000","org":"Organization10","repo":"Organization10/Repo2","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo9","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T13:43:53.205+0000","org":"Organization6","created_at":"2023-03-04T13:43:53.205+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User5","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-01T16:30:38.317+0000","org":"Organization5","created_at":"2023-03-01T16:30:38.317+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User10","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T12:56:37.092+0000","org":"Organization7","created_at":"2023-03-02T12:56:37.092+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T18:35:51.339+0000","org":"Organization9","created_at":"2023-03-05T18:35:51.339+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User4","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-01T17:26:12.787+0000","org":"Organization6","created_at":"2023-03-01T17:26:12.787+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User8","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-08T05:35:34.707+0000","org":"Organization10","created_at":"2023-03-08T05:35:34.707+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T02:04:24.040+0000","org":"Organization8","repo":"Organization8/Repo4","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo4","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T12:19:44.961+0000","org":"Organization10","created_at":"2023-03-03T12:19:44.961+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-08T02:48:34.943+0000","org":"Organization7","created_at":"2023-03-08T02:48:34.943+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User1","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T00:07:12.384+0000","org":"Organization8","repo":"Organization8/Repo6","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo10","repository_public":"true","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T10:24:40.087+0000","org":"Organization1","created_at":"2023-03-07T10:24:40.087+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User3","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T19:02:06.462+0000","org":"Organization7","created_at":"2023-03-07T19:02:06.462+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User4","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T23:59:33.367+0000","org":"Organization5","repo":"Organization5/Repo5","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo6","repository_public":"true","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T06:48:06.514+0000","org":"Organization10","created_at":"2023-03-06T06:48:06.514+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-02T11:06:46.636+0000","org":"Organization3","created_at":"2023-03-02T11:06:46.636+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User8","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T18:39:33.940+0000","org":"Organization4","created_at":"2023-03-07T18:39:33.940+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T15:03:55.026+0000","org":"Organization8","created_at":"2023-03-02T15:03:55.026+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T10:56:24.193+0000","org":"Organization7","repo":"Organization7/Repo6","created_at":"2023-03-02T10:56:24.193+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User9","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T18:28:55.709+0000","org":"Organization3","created_at":"2023-03-04T18:28:55.709+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User10","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T10:35:14.740+0000","org":"Organization6","created_at":"2023-03-07T10:35:14.740+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T04:01:11.294+0000","org":"Organization10","created_at":"2023-03-06T04:01:11.294+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User9","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T23:54:55.547+0000","org":"Organization7","created_at":"2023-03-01T23:54:55.547+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User10","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T18:38:47.283+0000","org":"Organization5","created_at":"2023-03-05T18:38:47.283+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User3","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-08T02:07:11.817+0000","org":"Organization4","created_at":"2023-03-08T02:07:11.817+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User6","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T16:03:21.099+0000","org":"Organization9","repo":"Organization9/Repo6","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo1","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T12:28:51.390+0000","org":"Organization5","created_at":"2023-03-05T12:28:51.390+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User8","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T02:48:35.634+0000","org":"Organization5","created_at":"2023-03-05T02:48:35.634+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T03:49:02.663+0000","org":"Organization4","repo":"Organization4/Repo8","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo10","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T02:28:47.021+0000","org":"Organization5","repo":"Organization5/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo6","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T22:45:47.711+0000","org":"Organization8","created_at":"2023-03-06T22:45:47.711+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User10","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T10:37:00.774+0000","org":"Organization1","repo":"Organization1/Repo6","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo2","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T22:49:04.114+0000","org":"Organization2","created_at":"2023-03-04T22:49:04.114+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T03:23:06.218+0000","org":"Organization2","repo":"Organization2/Repo3","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo6","repository_public":"true","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T11:56:39.704+0000","org":"Organization4","repo":"Organization4/Repo9","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo10","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T14:59:43.842+0000","org":"Organization2","created_at":"2023-03-06T14:59:43.842+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User6","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T14:52:13.826+0000","org":"Organization4","created_at":"2023-03-06T14:52:13.826+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User2","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T01:48:11.447+0000","org":"Organization6","repo":"Organization6/Repo3","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo6","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T09:06:18.811+0000","visibility":"public","org":"Organization7","repo":"Organization7/Repo10","created_at":"2023-03-02T09:06:18.811+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T10:47:24.727+0000","org":"Organization5","repo":"Organization5/Repo1","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo3","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T20:11:04.351+0000","org":"Organization10","repo":"Organization10/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo10","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-03T00:51:25.046+0000","org":"Organization2","created_at":"2023-03-03T00:51:25.046+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User8","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T04:14:38.517+0000","org":"Organization6","created_at":"2023-03-07T04:14:38.517+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T17:33:34.477+0000","org":"Organization1","created_at":"2023-03-06T17:33:34.477+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User4","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T10:57:08.409+0000","org":"Organization7","repo":"Organization7/Repo4","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo10","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T18:48:45.385+0000","visibility":"private_internal","org":"Organization1","created_at":"2023-03-06T18:48:45.385+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T21:35:09.782+0000","org":"Organization3","repo":"Organization3/Repo4","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo6","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T04:55:16.883+0000","org":"Organization4","created_at":"2023-03-04T04:55:16.883+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T20:52:15.562+0000","org":"Organization8","created_at":"2023-03-03T20:52:15.562+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T15:44:52.950+0000","org":"Organization6","repo":"Organization6/Repo9","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T19:11:19.583+0000","org":"Organization5","created_at":"2023-03-03T19:11:19.583+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User3","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T00:57:43.954+0000","visibility":"private","org":"Organization7","repo":"Organization7/Repo1","created_at":"2023-03-05T00:57:43.954+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T14:02:13.917+0000","org":"Organization8","created_at":"2023-03-05T14:02:13.917+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T23:54:43.501+0000","visibility":"public","org":"Organization10","repo":"Organization10/Repo3","created_at":"2023-03-07T23:54:43.501+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-07T09:43:03.347+0000","org":"Organization1","created_at":"2023-03-07T09:43:03.347+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User9","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T08:41:01.986+0000","org":"Organization6","repo":"Organization6/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo10","repository_public":"true","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T13:16:04.950+0000","visibility":"private_internal","org":"Organization3","created_at":"2023-03-03T13:16:04.950+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T20:56:47.298+0000","org":"Organization3","repo":"Organization3/Repo4","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo7","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T05:30:21.124+0000","org":"Organization9","repo":"Organization9/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo7","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-04T00:08:05.582+0000","org":"Organization5","repo":"Organization5/Repo6","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T04:06:01.426+0000","org":"Organization9","created_at":"2023-03-03T04:06:01.426+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T12:29:29.715+0000","org":"Organization9","repo":"Organization9/Repo2","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo9","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T17:06:19.974+0000","visibility":"public","org":"Organization4","repo":"Organization4/Repo8","created_at":"2023-03-03T17:06:19.974+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-07T17:23:00.725+0000","org":"Organization1","created_at":"2023-03-07T17:23:00.725+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User10","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T18:44:42.304+0000","org":"Organization10","repo":"Organization10/Repo3","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo10","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-08T08:38:43.177+0000","org":"Organization8","created_at":"2023-03-08T08:38:43.177+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User5","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T19:39:43.964+0000","org":"Organization7","created_at":"2023-03-06T19:39:43.964+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-08T10:09:37.289+0000","org":"Organization4","created_at":"2023-03-08T10:09:37.289+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User5","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T17:39:44.261+0000","org":"Organization10","repo":"Organization10/Repo6","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo3","repository_public":"false","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T05:11:49.036+0000","org":"Organization4","created_at":"2023-03-04T05:11:49.036+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T03:05:33.770+0000","org":"Organization9","created_at":"2023-03-03T03:05:33.770+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User1","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T18:13:04.047+0000","org":"Organization1","created_at":"2023-03-03T18:13:04.047+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User9","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T21:22:46.623+0000","org":"Organization9","created_at":"2023-03-07T21:22:46.623+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User2","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization4","created_at":"2023-03-06T16:19:52.622+0000","active":"true","actor":"User9","@timestamp":"2023-03-06T16:19:52.622+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T21:15:56.288+0000","org":"Organization5","repo":"Organization5/Repo2","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo1","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T08:28:02.158+0000","org":"Organization8","repo":"Organization8/Repo6","created_at":"2023-03-02T08:28:02.158+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User10","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T20:31:21.001+0000","org":"Organization9","created_at":"2023-03-03T20:31:21.001+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T13:07:42.518+0000","visibility":"private","org":"Organization5","repo":"Organization5/Repo10","created_at":"2023-03-07T13:07:42.518+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T14:54:15.832+0000","org":"Organization10","created_at":"2023-03-02T14:54:15.832+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User8","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-08T05:51:29.423+0000","org":"Organization5","created_at":"2023-03-08T05:51:29.423+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User3","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T09:22:03.697+0000","org":"Organization8","created_at":"2023-03-05T09:22:03.697+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User6","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T05:23:40.626+0000","org":"Organization7","created_at":"2023-03-03T05:23:40.626+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T21:33:57.019+0000","visibility":"internal","org":"Organization7","created_at":"2023-03-04T21:33:57.019+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization7","created_at":"2023-03-05T23:37:56.886+0000","active":"true","actor":"User10","@timestamp":"2023-03-05T23:37:56.886+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T19:56:10.818+0000","org":"Organization4","repo":"Organization4/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo9","repository_public":"false","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T04:28:51.464+0000","visibility":"internal","org":"Organization9","created_at":"2023-03-04T04:28:51.464+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T16:17:55.122+0000","org":"Organization9","created_at":"2023-03-07T16:17:55.122+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T08:05:55.769+0000","org":"Organization9","repo":"Organization9/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo8","repository_public":"false","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T17:50:00.804+0000","org":"Organization2","created_at":"2023-03-02T17:50:00.804+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User2","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T07:41:38.637+0000","org":"Organization10","repo":"Organization10/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo8","repository_public":"false","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T01:18:09.838+0000","org":"Organization2","repo":"Organization2/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo9","repository_public":"false","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T23:23:14.624+0000","org":"Organization2","created_at":"2023-03-05T23:23:14.624+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T21:47:38.309+0000","org":"Organization1","repo":"Organization1/Repo6","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo4","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T13:23:30.693+0000","org":"Organization10","repo":"Organization10/Repo5","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo4","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T19:59:16.595+0000","org":"Organization3","repo":"Organization3/Repo10","created_at":"2023-03-03T19:59:16.595+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User9","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T04:23:36.649+0000","org":"Organization7","created_at":"2023-03-02T04:23:36.649+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User4","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T08:52:02.239+0000","org":"Organization1","created_at":"2023-03-05T08:52:02.239+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User4","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T11:22:41.326+0000","org":"Organization5","repo":"Organization5/Repo1","created_at":"2023-03-04T11:22:41.326+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T01:00:44.807+0000","org":"Organization5","created_at":"2023-03-04T01:00:44.807+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User5","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T06:00:39.951+0000","org":"Organization5","created_at":"2023-03-04T06:00:39.951+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User8","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T03:13:21.903+0000","org":"Organization4","repo":"Organization4/Repo10","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo3","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T18:17:39.369+0000","visibility":"private","org":"Organization8","repo":"Organization8/Repo5","created_at":"2023-03-03T18:17:39.369+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T03:39:01.374+0000","org":"Organization6","created_at":"2023-03-02T03:39:01.374+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User4","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T00:22:33.159+0000","visibility":"private","org":"Organization4","repo":"Organization4/Repo4","created_at":"2023-03-03T00:22:33.159+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T13:23:46.584+0000","org":"Organization9","created_at":"2023-03-04T13:23:46.584+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User7","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T02:48:39.971+0000","org":"Organization1","repo":"Organization1/Repo10","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo7","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T15:43:22.444+0000","org":"Organization2","created_at":"2023-03-07T15:43:22.444+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User2","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T03:10:54.430+0000","org":"Organization9","created_at":"2023-03-05T03:10:54.430+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T01:56:21.116+0000","visibility":"public","org":"Organization8","repo":"Organization8/Repo3","created_at":"2023-03-02T01:56:21.116+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-06T04:23:38.498+0000","org":"Organization2","created_at":"2023-03-06T04:23:38.498+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User1","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization2","created_at":"2023-03-08T04:47:15.501+0000","active":"true","actor":"User4","@timestamp":"2023-03-08T04:47:15.501+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T14:19:54.561+0000","org":"Organization4","repo":"Organization4/Repo9","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo10","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-01T17:03:07.347+0000","visibility":"private","org":"Organization6","repo":"Organization6/Repo4","created_at":"2023-03-01T17:03:07.347+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T11:34:05.619+0000","visibility":"private","org":"Organization3","repo":"Organization3/Repo3","created_at":"2023-03-03T11:34:05.619+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T21:43:58.549+0000","org":"Organization6","created_at":"2023-03-07T21:43:58.549+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User2","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-01T17:58:17.621+0000","visibility":"private","org":"Organization4","repo":"Organization4/Repo1","created_at":"2023-03-01T17:58:17.621+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T22:48:32.283+0000","org":"Organization1","repo":"Organization1/Repo3","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo8","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T03:34:06.089+0000","org":"Organization10","created_at":"2023-03-02T03:34:06.089+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User8","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T02:35:18.834+0000","org":"Organization2","repo":"Organization2/Repo4","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo3","repository_public":"false","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-08T02:00:55.836+0000","org":"Organization10","created_at":"2023-03-08T02:00:55.836+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T06:21:12.459+0000","org":"Organization5","created_at":"2023-03-05T06:21:12.459+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T16:26:50.981+0000","org":"Organization5","created_at":"2023-03-07T16:26:50.981+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-07T15:44:49.976+0000","visibility":"private","org":"Organization8","repo":"Organization8/Repo4","created_at":"2023-03-07T15:44:49.976+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-01T18:37:29.199+0000","org":"Organization3","created_at":"2023-03-01T18:37:29.199+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User4","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T03:07:29.656+0000","org":"Organization4","repo":"Organization4/Repo9","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo7","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T20:26:42.128+0000","org":"Organization9","repo":"Organization9/Repo6","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo8","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T12:12:40.404+0000","org":"Organization1","created_at":"2023-03-07T12:12:40.404+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User3","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T20:02:27.035+0000","org":"Organization3","repo":"Organization3/Repo2","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo3","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T10:27:22.419+0000","org":"Organization3","created_at":"2023-03-02T10:27:22.419+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T01:26:00.682+0000","visibility":"private","org":"Organization2","repo":"Organization2/Repo1","created_at":"2023-03-03T01:26:00.682+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T10:29:47.786+0000","org":"Organization3","created_at":"2023-03-02T10:29:47.786+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User8","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-08T07:29:52.035+0000","org":"Organization6","repo":"Organization6/Repo9","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo5","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-07T20:53:41.952+0000","org":"Organization10","created_at":"2023-03-07T20:53:41.952+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User7","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T12:43:05.937+0000","org":"Organization4","repo":"Organization4/Repo8","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo9","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T07:45:56.503+0000","org":"Organization8","repo":"Organization8/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo5","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T11:06:23.937+0000","org":"Organization7","created_at":"2023-03-05T11:06:23.937+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User7","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T04:06:46.853+0000","org":"Organization2","created_at":"2023-03-05T04:06:46.853+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User8","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T04:04:05.845+0000","org":"Organization4","repo":"Organization4/Repo9","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo7","repository_public":"true","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T21:35:07.413+0000","org":"Organization9","created_at":"2023-03-02T21:35:07.413+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User6","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-08T04:24:05.693+0000","org":"Organization9","hook_id":"303999727","name":"webhook","created_at":"2023-03-08T04:24:05.693+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T11:31:30.102+0000","org":"Organization2","repo":"Organization2/Repo3","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo10","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T17:56:26.330+0000","org":"Organization5","repo":"Organization5/Repo6","created_at":"2023-03-02T17:56:26.330+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User9","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T05:17:30.360+0000","org":"Organization10","repo":"Organization10/Repo4","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T17:49:51.088+0000","visibility":"private","org":"Organization3","repo":"Organization3/Repo7","created_at":"2023-03-04T17:49:51.088+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-01T16:14:56.870+0000","org":"Organization6","created_at":"2023-03-01T16:14:56.870+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User4","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T23:46:26.919+0000","org":"Organization2","created_at":"2023-03-06T23:46:26.919+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T02:56:36.543+0000","org":"Organization7","created_at":"2023-03-02T02:56:36.543+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User2","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T08:17:28.481+0000","org":"Organization9","created_at":"2023-03-02T08:17:28.481+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T03:54:50.199+0000","org":"Organization9","created_at":"2023-03-03T03:54:50.199+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User6","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T23:26:41.128+0000","org":"Organization9","repo":"Organization9/Repo2","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo3","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-01T15:46:48.416+0000","org":"Organization9","created_at":"2023-03-01T15:46:48.416+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-01T17:26:37.121+0000","org":"Organization7","created_at":"2023-03-01T17:26:37.121+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User7","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T07:45:53.353+0000","org":"Organization6","repo":"Organization6/Repo8","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo1","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-08T03:37:56.725+0000","org":"Organization5","created_at":"2023-03-08T03:37:56.725+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User7","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T16:11:54.326+0000","org":"Organization10","created_at":"2023-03-04T16:11:54.326+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-05T18:52:58.068+0000","org":"Organization2","created_at":"2023-03-05T18:52:58.068+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User5","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T08:50:22.442+0000","org":"Organization5","repo":"Organization5/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo3","repository_public":"false","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T22:36:22.245+0000","visibility":"private","org":"Organization3","repo":"Organization3/Repo1","created_at":"2023-03-05T22:36:22.245+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T02:03:31.324+0000","visibility":"private","org":"Organization6","repo":"Organization6/Repo2","created_at":"2023-03-03T02:03:31.324+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T03:20:08.447+0000","org":"Organization5","created_at":"2023-03-02T03:20:08.447+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T18:32:44.946+0000","org":"Organization5","created_at":"2023-03-04T18:32:44.946+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User10","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T09:16:25.766+0000","org":"Organization3","repo":"Organization3/Repo1","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-02T15:32:26.896+0000","org":"Organization5","created_at":"2023-03-02T15:32:26.896+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T19:30:29.676+0000","org":"Organization2","created_at":"2023-03-02T19:30:29.676+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T11:42:00.093+0000","org":"Organization5","created_at":"2023-03-07T11:42:00.093+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User4","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T05:33:06.424+0000","org":"Organization5","created_at":"2023-03-07T05:33:06.424+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T21:08:46.085+0000","org":"Organization10","created_at":"2023-03-06T21:08:46.085+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User10","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T12:43:12.348+0000","org":"Organization2","created_at":"2023-03-02T12:43:12.348+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User1","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T20:29:55.733+0000","org":"Organization5","repo":"Organization5/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo6","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T03:09:51.263+0000","org":"Organization8","created_at":"2023-03-03T03:09:51.263+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T12:31:27.790+0000","org":"Organization3","hook_id":"303999727","name":"webhook","created_at":"2023-03-02T12:31:27.790+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T06:02:53.636+0000","org":"Organization4","created_at":"2023-03-03T06:02:53.636+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T15:45:19.134+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo2","created_at":"2023-03-05T15:45:19.134+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-05T14:59:23.223+0000","org":"Organization3","created_at":"2023-03-05T14:59:23.223+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User1","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T13:51:10.517+0000","org":"Organization1","repo":"Organization1/Repo8","created_at":"2023-03-04T13:51:10.517+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User9","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T15:49:44.448+0000","org":"Organization4","created_at":"2023-03-04T15:49:44.448+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User8","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T04:42:12.570+0000","visibility":"internal","org":"Organization10","created_at":"2023-03-04T04:42:12.570+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T03:48:46.178+0000","org":"Organization6","created_at":"2023-03-04T03:48:46.178+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User9","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T01:22:53.147+0000","org":"Organization9","repo":"Organization9/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo8","repository_public":"false","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-04T13:52:13.449+0000","org":"Organization10","created_at":"2023-03-04T13:52:13.449+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User2","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-07T10:34:06.318+0000","org":"Organization6","created_at":"2023-03-07T10:34:06.318+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User5","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-04T20:06:22.369+0000","org":"Organization9","created_at":"2023-03-04T20:06:22.369+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User2","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T03:56:51.133+0000","org":"Organization3","hook_id":"303999727","name":"webhook","created_at":"2023-03-03T03:56:51.133+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-02T17:57:59.288+0000","org":"Organization5","created_at":"2023-03-02T17:57:59.288+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User8","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T11:41:54.787+0000","org":"Organization2","repo":"Organization2/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo4","repository_public":"false","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T14:07:31.909+0000","org":"Organization9","created_at":"2023-03-07T14:07:31.909+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T19:07:24.679+0000","org":"Organization1","created_at":"2023-03-06T19:07:24.679+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User3","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T12:16:50.132+0000","org":"Organization2","created_at":"2023-03-06T12:16:50.132+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User7","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T08:34:54.394+0000","org":"Organization9","repo":"Organization9/Repo9","created_at":"2023-03-04T08:34:54.394+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T09:33:28.550+0000","org":"Organization10","repo":"Organization10/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo3","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-08T07:17:30.261+0000","visibility":"private_internal","org":"Organization1","created_at":"2023-03-08T07:17:30.261+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T05:18:37.007+0000","org":"Organization6","created_at":"2023-03-03T05:18:37.007+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User3","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T14:18:38.001+0000","org":"Organization3","created_at":"2023-03-03T14:18:38.001+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T22:29:27.751+0000","org":"Organization2","repo":"Organization2/Repo5","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo8","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization8","created_at":"2023-03-06T09:39:32.938+0000","active":"true","actor":"User1","@timestamp":"2023-03-06T09:39:32.938+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T00:04:12.302+0000","org":"Organization1","created_at":"2023-03-06T00:04:12.302+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User10","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T23:51:55.055+0000","org":"Organization2","repo":"Organization2/Repo1","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo5","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-06T08:00:18.135+0000","org":"Organization10","created_at":"2023-03-06T08:00:18.135+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User10","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-08T08:59:57.038+0000","org":"Organization7","created_at":"2023-03-08T08:59:57.038+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T06:53:48.675+0000","org":"Organization8","created_at":"2023-03-07T06:53:48.675+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T02:53:16.452+0000","org":"Organization4","created_at":"2023-03-07T02:53:16.452+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T06:31:46.124+0000","org":"Organization10","created_at":"2023-03-05T06:31:46.124+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User1","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T16:34:19.546+0000","org":"Organization10","repo":"Organization10/Repo9","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo7","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T08:42:56.143+0000","org":"Organization1","created_at":"2023-03-06T08:42:56.143+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User3","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T16:47:24.072+0000","org":"Organization7","repo":"Organization7/Repo10","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo3","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization6","created_at":"2023-03-03T03:38:46.177+0000","active":"true","actor":"User1","@timestamp":"2023-03-03T03:38:46.177+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-08T02:38:53.164+0000","org":"Organization5","created_at":"2023-03-08T02:38:53.164+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User7","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T17:02:16.806+0000","org":"Organization7","repo":"Organization7/Repo4","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo8","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T14:58:31.631+0000","org":"Organization7","created_at":"2023-03-03T14:58:31.631+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User4","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-08T04:30:06.299+0000","org":"Organization1","repo":"Organization1/Repo2","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T16:56:45.650+0000","org":"Organization5","repo":"Organization5/Repo3","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo8","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-01T21:12:03.333+0000","org":"Organization3","repo":"Organization3/Repo5","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization4","created_at":"2023-03-07T05:37:53.011+0000","active":"true","actor":"User1","@timestamp":"2023-03-07T05:37:53.011+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T17:29:56.212+0000","org":"Organization9","created_at":"2023-03-05T17:29:56.212+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T14:48:14.075+0000","org":"Organization8","created_at":"2023-03-07T14:48:14.075+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User3","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T17:00:51.316+0000","org":"Organization3","repo":"Organization3/Repo7","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo7","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T20:08:48.480+0000","visibility":"public","org":"Organization1","repo":"Organization1/Repo8","created_at":"2023-03-05T20:08:48.480+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T18:57:29.111+0000","org":"Organization5","created_at":"2023-03-02T18:57:29.111+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T20:17:54.885+0000","org":"Organization1","created_at":"2023-03-07T20:17:54.885+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User5","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T19:00:22.091+0000","org":"Organization1","repo":"Organization1/Repo4","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo1","repository_public":"false","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T05:41:35.619+0000","org":"Organization3","created_at":"2023-03-07T05:41:35.619+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-08T11:27:35.615+0000","org":"Organization9","created_at":"2023-03-08T11:27:35.615+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T01:02:56.744+0000","org":"Organization6","created_at":"2023-03-04T01:02:56.744+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User4","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T00:21:40.566+0000","org":"Organization7","repo":"Organization7/Repo2","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo3","repository_public":"true","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T08:51:35.863+0000","org":"Organization9","repo":"Organization9/Repo5","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo9","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T13:46:07.039+0000","org":"Organization5","created_at":"2023-03-02T13:46:07.039+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User3","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T03:24:29.677+0000","org":"Organization10","repo":"Organization10/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo8","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T08:06:50.586+0000","org":"Organization9","created_at":"2023-03-05T08:06:50.586+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T20:55:22.624+0000","org":"Organization10","created_at":"2023-03-07T20:55:22.624+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User10","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization4","created_at":"2023-03-05T11:12:30.315+0000","active":"true","actor":"User1","@timestamp":"2023-03-05T11:12:30.315+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T23:24:11.423+0000","org":"Organization6","created_at":"2023-03-06T23:24:11.423+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T04:28:49.209+0000","org":"Organization5","repo":"Organization5/Repo10","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo8","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T01:11:51.001+0000","org":"Organization10","created_at":"2023-03-05T01:11:51.001+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T02:09:07.377+0000","org":"Organization10","repo":"Organization10/Repo3","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo8","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T22:56:46.612+0000","visibility":"private_internal","org":"Organization8","created_at":"2023-03-03T22:56:46.612+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T06:56:47.020+0000","org":"Organization5","created_at":"2023-03-03T06:56:47.020+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User2","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-01T21:16:21.456+0000","org":"Organization6","created_at":"2023-03-01T21:16:21.456+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T23:32:14.498+0000","org":"Organization9","created_at":"2023-03-05T23:32:14.498+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization4","created_at":"2023-03-01T14:39:22.448+0000","active":"true","actor":"User8","@timestamp":"2023-03-01T14:39:22.448+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T21:04:49.181+0000","org":"Organization1","created_at":"2023-03-06T21:04:49.181+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User8","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-08T11:47:33.387+0000","org":"Organization5","created_at":"2023-03-08T11:47:33.387+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User1","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T10:01:03.731+0000","org":"Organization8","created_at":"2023-03-03T10:01:03.731+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-06T03:47:38.638+0000","org":"Organization9","created_at":"2023-03-06T03:47:38.638+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T10:18:07.967+0000","org":"Organization1","repo":"Organization1/Repo5","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo6","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T01:33:49.205+0000","org":"Organization5","created_at":"2023-03-02T01:33:49.205+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User3","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-04T19:30:57.656+0000","org":"Organization9","repo":"Organization9/Repo10","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T07:08:38.121+0000","org":"Organization8","repo":"Organization8/Repo9","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo10","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T23:04:42.662+0000","org":"Organization5","created_at":"2023-03-03T23:04:42.662+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User8","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T12:52:41.193+0000","org":"Organization3","created_at":"2023-03-07T12:52:41.193+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User1","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T06:06:35.136+0000","org":"Organization1","created_at":"2023-03-04T06:06:35.136+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User4","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T09:54:58.020+0000","org":"Organization4","created_at":"2023-03-05T09:54:58.020+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User8","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T06:16:36.109+0000","org":"Organization5","created_at":"2023-03-06T06:16:36.109+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T23:07:18.020+0000","org":"Organization3","created_at":"2023-03-06T23:07:18.020+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User6","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T16:46:51.797+0000","org":"Organization10","created_at":"2023-03-04T16:46:51.797+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User1","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T06:30:31.553+0000","org":"Organization3","created_at":"2023-03-03T06:30:31.553+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User8","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T07:20:53.173+0000","org":"Organization4","repo":"Organization4/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo6","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T03:08:25.737+0000","visibility":"internal","org":"Organization4","created_at":"2023-03-05T03:08:25.737+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T03:20:28.803+0000","org":"Organization8","created_at":"2023-03-02T03:20:28.803+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User1","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T19:32:00.999+0000","org":"Organization2","repo":"Organization2/Repo6","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo8","repository_public":"false","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T14:14:37.418+0000","org":"Organization9","hook_id":"303999727","name":"webhook","created_at":"2023-03-05T14:14:37.418+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T17:42:55.524+0000","visibility":"internal","org":"Organization10","created_at":"2023-03-07T17:42:55.524+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T01:51:33.737+0000","org":"Organization10","created_at":"2023-03-04T01:51:33.737+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User7","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T03:27:11.009+0000","org":"Organization7","repo":"Organization7/Repo8","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T08:39:16.015+0000","org":"Organization1","created_at":"2023-03-02T08:39:16.015+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T20:58:39.208+0000","visibility":"private","org":"Organization4","repo":"Organization4/Repo8","created_at":"2023-03-04T20:58:39.208+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T11:10:33.776+0000","org":"Organization4","created_at":"2023-03-04T11:10:33.776+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User5","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T13:40:51.169+0000","org":"Organization1","created_at":"2023-03-07T13:40:51.169+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User5","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T00:38:49.948+0000","visibility":"private","org":"Organization10","repo":"Organization10/Repo4","created_at":"2023-03-06T00:38:49.948+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T05:09:21.085+0000","visibility":"private_internal","org":"Organization5","created_at":"2023-03-02T05:09:21.085+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-03T16:50:05.216+0000","org":"Organization8","created_at":"2023-03-03T16:50:05.216+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User4","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T02:11:42.635+0000","visibility":"private","org":"Organization10","repo":"Organization10/Repo9","created_at":"2023-03-04T02:11:42.635+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization6","created_at":"2023-03-05T21:25:08.510+0000","active":"true","actor":"User10","@timestamp":"2023-03-05T21:25:08.510+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T01:48:22.986+0000","visibility":"internal","org":"Organization9","created_at":"2023-03-02T01:48:22.986+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T06:49:37.575+0000","org":"Organization10","created_at":"2023-03-02T06:49:37.575+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User9","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T02:35:15.490+0000","visibility":"private","org":"Organization9","repo":"Organization9/Repo6","created_at":"2023-03-03T02:35:15.490+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization7","created_at":"2023-03-07T18:13:44.580+0000","active":"true","actor":"User8","@timestamp":"2023-03-07T18:13:44.580+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T00:38:03.862+0000","org":"Organization8","repo":"Organization8/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo2","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-01T22:24:34.130+0000","org":"Organization1","created_at":"2023-03-01T22:24:34.130+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User7","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T09:31:07.355+0000","org":"Organization6","created_at":"2023-03-03T09:31:07.355+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User7","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T16:20:11.178+0000","org":"Organization5","repo":"Organization5/Repo7","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo7","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T09:26:27.891+0000","org":"Organization9","created_at":"2023-03-03T09:26:27.891+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User8","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T15:56:12.312+0000","org":"Organization2","repo":"Organization2/Repo3","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo6","repository_public":"false","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T19:02:32.446+0000","org":"Organization9","created_at":"2023-03-07T19:02:32.446+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T20:46:42.459+0000","org":"Organization5","created_at":"2023-03-03T20:46:42.459+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User3","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T21:49:42.128+0000","org":"Organization2","repo":"Organization2/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo4","repository_public":"false","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T10:18:42.798+0000","org":"Organization4","created_at":"2023-03-04T10:18:42.798+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T12:35:02.903+0000","org":"Organization1","created_at":"2023-03-05T12:35:02.903+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T10:36:48.298+0000","visibility":"private","org":"Organization2","repo":"Organization2/Repo6","created_at":"2023-03-03T10:36:48.298+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization3","created_at":"2023-03-03T22:46:57.800+0000","active":"true","actor":"User7","@timestamp":"2023-03-03T22:46:57.800+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T14:37:09.486+0000","org":"Organization3","created_at":"2023-03-06T14:37:09.486+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User9","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T04:51:19.486+0000","org":"Organization2","created_at":"2023-03-07T04:51:19.486+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User2","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T00:23:15.625+0000","org":"Organization7","created_at":"2023-03-06T00:23:15.625+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User7","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T03:47:22.564+0000","org":"Organization6","repo":"Organization6/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo2","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization3","created_at":"2023-03-07T12:59:10.191+0000","active":"true","actor":"User9","@timestamp":"2023-03-07T12:59:10.191+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T14:25:55.445+0000","org":"Organization5","created_at":"2023-03-06T14:25:55.445+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T16:12:40.578+0000","org":"Organization9","created_at":"2023-03-06T16:12:40.578+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User9","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T22:56:44.061+0000","org":"Organization8","created_at":"2023-03-07T22:56:44.061+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User4","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T20:41:50.792+0000","org":"Organization5","created_at":"2023-03-07T20:41:50.792+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T09:10:31.974+0000","org":"Organization9","repo":"Organization9/Repo8","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo10","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T08:00:55.168+0000","org":"Organization9","created_at":"2023-03-04T08:00:55.168+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User6","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization4","created_at":"2023-03-01T21:41:02.084+0000","active":"true","actor":"User1","@timestamp":"2023-03-01T21:41:02.084+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T21:42:58.001+0000","org":"Organization4","created_at":"2023-03-07T21:42:58.001+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T02:19:13.533+0000","org":"Organization10","repo":"Organization10/Repo1","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo10","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T18:32:43.266+0000","org":"Organization4","created_at":"2023-03-05T18:32:43.266+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User2","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T14:39:44.164+0000","visibility":"private","org":"Organization9","repo":"Organization9/Repo5","created_at":"2023-03-03T14:39:44.164+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-08T07:15:55.644+0000","org":"Organization7","hook_id":"303999727","name":"webhook","created_at":"2023-03-08T07:15:55.644+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T17:47:14.909+0000","org":"Organization9","repo":"Organization9/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo8","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T04:04:17.247+0000","org":"Organization6","created_at":"2023-03-06T04:04:17.247+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T09:12:42.790+0000","org":"Organization2","created_at":"2023-03-05T09:12:42.790+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T05:58:50.686+0000","visibility":"private","org":"Organization9","repo":"Organization9/Repo8","created_at":"2023-03-07T05:58:50.686+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T22:35:50.199+0000","org":"Organization2","hook_id":"303999727","name":"webhook","created_at":"2023-03-04T22:35:50.199+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T03:02:50.148+0000","org":"Organization3","repo":"Organization3/Repo6","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo10","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T16:26:36.021+0000","org":"Organization8","created_at":"2023-03-05T16:26:36.021+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-03T11:13:03.739+0000","org":"Organization7","created_at":"2023-03-03T11:13:03.739+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T11:57:57.464+0000","org":"Organization5","repo":"Organization5/Repo2","created_at":"2023-03-05T11:57:57.464+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T23:54:22.243+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo5","created_at":"2023-03-05T23:54:22.243+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-03T19:55:34.925+0000","visibility":"private_internal","org":"Organization1","created_at":"2023-03-03T19:55:34.925+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T11:33:52.651+0000","org":"Organization3","created_at":"2023-03-04T11:33:52.651+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User8","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T17:02:41.109+0000","org":"Organization3","created_at":"2023-03-05T17:02:41.109+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User4","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T21:22:06.490+0000","org":"Organization6","repo":"Organization6/Repo5","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo2","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T12:09:43.220+0000","org":"Organization5","created_at":"2023-03-03T12:09:43.220+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T03:22:32.512+0000","org":"Organization7","repo":"Organization7/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo9","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T00:47:47.381+0000","visibility":"private_internal","org":"Organization1","created_at":"2023-03-07T00:47:47.381+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T09:47:43.283+0000","org":"Organization10","created_at":"2023-03-05T09:47:43.283+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User6","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T02:53:48.623+0000","org":"Organization5","created_at":"2023-03-07T02:53:48.623+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User8","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T21:06:18.213+0000","org":"Organization3","created_at":"2023-03-07T21:06:18.213+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User9","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T02:59:03.759+0000","org":"Organization1","created_at":"2023-03-05T02:59:03.759+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T03:20:43.950+0000","org":"Organization1","repo":"Organization1/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo9","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-01T19:28:57.470+0000","org":"Organization3","created_at":"2023-03-01T19:28:57.470+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User8","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-08T08:24:01.831+0000","org":"Organization3","created_at":"2023-03-08T08:24:01.831+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T06:40:46.781+0000","org":"Organization5","repo":"Organization5/Repo7","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo3","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T02:23:35.715+0000","org":"Organization6","repo":"Organization6/Repo1","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo1","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T18:59:09.252+0000","visibility":"private","org":"Organization8","repo":"Organization8/Repo8","created_at":"2023-03-07T18:59:09.252+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T16:09:14.135+0000","org":"Organization8","created_at":"2023-03-06T16:09:14.135+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-02T14:57:00.880+0000","org":"Organization7","created_at":"2023-03-02T14:57:00.880+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T08:30:24.776+0000","org":"Organization5","created_at":"2023-03-05T08:30:24.776+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User3","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T01:09:14.384+0000","org":"Organization1","repo":"Organization1/Repo3","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo4","repository_public":"false","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T06:38:03.218+0000","org":"Organization6","created_at":"2023-03-03T06:38:03.218+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User4","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T15:45:21.976+0000","org":"Organization1","created_at":"2023-03-03T15:45:21.976+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User4","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T00:14:44.438+0000","org":"Organization3","repo":"Organization3/Repo7","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo8","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-04T17:26:51.450+0000","org":"Organization2","created_at":"2023-03-04T17:26:51.450+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User2","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T00:02:25.794+0000","org":"Organization3","created_at":"2023-03-03T00:02:25.794+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User4","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T08:15:42.391+0000","org":"Organization6","created_at":"2023-03-06T08:15:42.391+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User1","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T08:40:19.395+0000","visibility":"internal","org":"Organization1","created_at":"2023-03-04T08:40:19.395+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T12:22:10.536+0000","org":"Organization1","created_at":"2023-03-02T12:22:10.536+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User4","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T10:06:07.601+0000","org":"Organization1","created_at":"2023-03-04T10:06:07.601+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User10","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T17:37:52.342+0000","org":"Organization6","repo":"Organization6/Repo7","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo1","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T13:07:50.212+0000","org":"Organization6","repo":"Organization6/Repo3","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo3","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T15:36:23.581+0000","org":"Organization10","repo":"Organization10/Repo5","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo3","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T12:52:37.438+0000","org":"Organization9","created_at":"2023-03-06T12:52:37.438+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User2","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T02:11:03.588+0000","org":"Organization5","created_at":"2023-03-06T02:11:03.588+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User9","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T05:13:24.398+0000","org":"Organization6","created_at":"2023-03-06T05:13:24.398+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T22:39:22.612+0000","org":"Organization3","created_at":"2023-03-02T22:39:22.612+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User8","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T08:52:22.789+0000","org":"Organization4","created_at":"2023-03-05T08:52:22.789+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User5","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T00:46:38.733+0000","org":"Organization7","repo":"Organization7/Repo7","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo4","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T21:49:46.715+0000","visibility":"internal","org":"Organization8","created_at":"2023-03-07T21:49:46.715+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T21:21:15.346+0000","org":"Organization3","repo":"Organization3/Repo4","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-01T19:17:16.484+0000","visibility":"private","org":"Organization10","repo":"Organization10/Repo5","created_at":"2023-03-01T19:17:16.484+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T05:45:55.083+0000","org":"Organization10","created_at":"2023-03-03T05:45:55.083+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T16:19:54.210+0000","org":"Organization1","created_at":"2023-03-06T16:19:54.210+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-08T04:42:20.523+0000","org":"Organization3","created_at":"2023-03-08T04:42:20.523+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User2","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T09:51:56.823+0000","org":"Organization1","created_at":"2023-03-02T09:51:56.823+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User5","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-08T00:23:39.856+0000","org":"Organization3","created_at":"2023-03-08T00:23:39.856+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User8","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T10:00:07.909+0000","org":"Organization6","created_at":"2023-03-02T10:00:07.909+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-06T16:10:52.701+0000","org":"Organization7","created_at":"2023-03-06T16:10:52.701+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T11:09:35.798+0000","org":"Organization10","repo":"Organization10/Repo10","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo5","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T14:33:57.369+0000","org":"Organization1","repo":"Organization1/Repo5","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo6","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T11:24:25.486+0000","org":"Organization6","repo":"Organization6/Repo6","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo10","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T11:59:13.944+0000","org":"Organization5","created_at":"2023-03-06T11:59:13.944+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T06:23:31.019+0000","org":"Organization6","created_at":"2023-03-07T06:23:31.019+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User5","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T16:49:50.805+0000","org":"Organization7","created_at":"2023-03-02T16:49:50.805+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User5","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T04:14:17.553+0000","org":"Organization9","created_at":"2023-03-06T04:14:17.553+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User2","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T13:48:56.690+0000","org":"Organization10","created_at":"2023-03-07T13:48:56.690+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User4","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T18:56:36.887+0000","org":"Organization1","created_at":"2023-03-06T18:56:36.887+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User2","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T07:55:01.711+0000","visibility":"private_internal","org":"Organization5","created_at":"2023-03-06T07:55:01.711+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T11:44:59.201+0000","org":"Organization4","created_at":"2023-03-07T11:44:59.201+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User9","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T06:04:25.005+0000","org":"Organization5","created_at":"2023-03-03T06:04:25.005+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User1","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T21:16:41.257+0000","org":"Organization2","created_at":"2023-03-03T21:16:41.257+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User2","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T23:09:44.578+0000","org":"Organization2","repo":"Organization2/Repo4","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo4","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T17:27:22.334+0000","visibility":"internal","org":"Organization6","created_at":"2023-03-04T17:27:22.334+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T10:05:57.256+0000","org":"Organization3","created_at":"2023-03-04T10:05:57.256+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-08T06:29:47.115+0000","org":"Organization1","created_at":"2023-03-08T06:29:47.115+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-08T09:38:47.469+0000","org":"Organization6","repo":"Organization6/Repo3","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo5","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T02:47:19.172+0000","visibility":"private","org":"Organization5","repo":"Organization5/Repo9","created_at":"2023-03-02T02:47:19.172+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T02:24:46.498+0000","org":"Organization4","created_at":"2023-03-04T02:24:46.498+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User1","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T02:50:16.561+0000","org":"Organization7","created_at":"2023-03-02T02:50:16.561+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User2","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T18:38:22.080+0000","org":"Organization1","repo":"Organization1/Repo2","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo10","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T08:37:41.179+0000","org":"Organization9","created_at":"2023-03-02T08:37:41.179+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User9","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T07:10:55.804+0000","org":"Organization7","created_at":"2023-03-05T07:10:55.804+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User9","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T00:41:48.623+0000","org":"Organization1","repo":"Organization1/Repo10","created_at":"2023-03-06T00:41:48.623+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User10","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T15:22:01.040+0000","org":"Organization8","created_at":"2023-03-04T15:22:01.040+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User5","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T16:14:09.428+0000","org":"Organization9","repo":"Organization9/Repo1","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo1","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-06T13:11:23.597+0000","org":"Organization3","created_at":"2023-03-06T13:11:23.597+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User5","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-08T08:21:55.695+0000","org":"Organization6","repo":"Organization6/Repo4","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T15:37:18.238+0000","org":"Organization6","repo":"Organization6/Repo7","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo6","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T04:26:43.158+0000","org":"Organization7","repo":"Organization7/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo10","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T00:03:36.038+0000","org":"Organization4","created_at":"2023-03-05T00:03:36.038+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T20:01:50.215+0000","org":"Organization9","created_at":"2023-03-02T20:01:50.215+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T21:29:30.121+0000","org":"Organization8","created_at":"2023-03-07T21:29:30.121+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T16:49:45.399+0000","org":"Organization8","created_at":"2023-03-05T16:49:45.399+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User5","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T19:23:24.519+0000","org":"Organization10","repo":"Organization10/Repo6","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo1","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T11:34:15.437+0000","org":"Organization8","created_at":"2023-03-06T11:34:15.437+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User2","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T05:46:07.112+0000","org":"Organization5","created_at":"2023-03-03T05:46:07.112+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T14:26:29.185+0000","org":"Organization3","created_at":"2023-03-01T14:26:29.185+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User6","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T08:48:10.906+0000","visibility":"internal","org":"Organization5","created_at":"2023-03-03T08:48:10.906+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T02:46:14.502+0000","org":"Organization5","hook_id":"303999727","name":"webhook","created_at":"2023-03-02T02:46:14.502+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-02T12:16:37.673+0000","org":"Organization6","created_at":"2023-03-02T12:16:37.673+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-05T04:16:11.958+0000","org":"Organization6","created_at":"2023-03-05T04:16:11.958+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User4","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T11:33:47.883+0000","org":"Organization4","repo":"Organization4/Repo1","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo9","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T02:54:12.936+0000","org":"Organization4","created_at":"2023-03-05T02:54:12.936+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User9","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T05:39:08.115+0000","visibility":"internal","org":"Organization1","created_at":"2023-03-03T05:39:08.115+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T23:26:19.986+0000","org":"Organization6","created_at":"2023-03-01T23:26:19.986+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T04:23:32.824+0000","org":"Organization1","created_at":"2023-03-07T04:23:32.824+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User10","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T02:51:39.951+0000","org":"Organization7","hook_id":"303999727","name":"webhook","created_at":"2023-03-06T02:51:39.951+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T01:43:29.988+0000","org":"Organization7","created_at":"2023-03-07T01:43:29.988+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User5","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T12:24:57.141+0000","org":"Organization5","created_at":"2023-03-06T12:24:57.141+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User6","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T14:20:45.313+0000","org":"Organization7","created_at":"2023-03-06T14:20:45.313+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User4","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T09:14:07.060+0000","org":"Organization10","created_at":"2023-03-04T09:14:07.060+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T01:38:22.057+0000","org":"Organization10","created_at":"2023-03-06T01:38:22.057+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T12:56:35.532+0000","org":"Organization4","created_at":"2023-03-06T12:56:35.532+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User4","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T13:31:59.217+0000","org":"Organization5","hook_id":"303999727","name":"webhook","created_at":"2023-03-07T13:31:59.217+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T05:43:16.875+0000","org":"Organization9","created_at":"2023-03-07T05:43:16.875+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User5","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T15:56:29.460+0000","visibility":"internal","org":"Organization4","created_at":"2023-03-04T15:56:29.460+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T09:51:45.167+0000","org":"Organization10","created_at":"2023-03-02T09:51:45.167+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-02T11:33:11.785+0000","org":"Organization9","repo":"Organization9/Repo4","created_at":"2023-03-02T11:33:11.785+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User2","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T23:18:28.187+0000","visibility":"private","org":"Organization5","repo":"Organization5/Repo7","created_at":"2023-03-05T23:18:28.187+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-01T13:36:17.119+0000","org":"Organization10","repo":"Organization10/Repo8","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo9","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-01T20:57:35.974+0000","org":"Organization6","created_at":"2023-03-01T20:57:35.974+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User5","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T02:08:51.902+0000","org":"Organization7","created_at":"2023-03-02T02:08:51.902+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User9","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T20:51:09.355+0000","org":"Organization3","created_at":"2023-03-06T20:51:09.355+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User5","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-01T15:00:22.596+0000","org":"Organization9","created_at":"2023-03-01T15:00:22.596+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T17:14:00.694+0000","org":"Organization3","created_at":"2023-03-05T17:14:00.694+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T00:55:14.907+0000","org":"Organization6","created_at":"2023-03-06T00:55:14.907+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T02:28:41.655+0000","org":"Organization9","repo":"Organization9/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo8","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-04T04:57:15.352+0000","org":"Organization1","created_at":"2023-03-04T04:57:15.352+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User2","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T14:47:17.651+0000","org":"Organization3","repo":"Organization3/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo6","repository_public":"true","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T02:50:17.834+0000","org":"Organization9","repo":"Organization9/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo4","repository_public":"false","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T09:53:12.960+0000","org":"Organization1","created_at":"2023-03-07T09:53:12.960+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T03:57:38.526+0000","org":"Organization8","repo":"Organization8/Repo4","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo2","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T06:09:08.228+0000","org":"Organization5","created_at":"2023-03-02T06:09:08.228+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T22:32:07.575+0000","org":"Organization5","created_at":"2023-03-07T22:32:07.575+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User10","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T05:44:28.645+0000","org":"Organization9","created_at":"2023-03-05T05:44:28.645+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T18:10:44.598+0000","org":"Organization2","created_at":"2023-03-05T18:10:44.598+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User7","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T14:09:02.232+0000","visibility":"private","org":"Organization1","repo":"Organization1/Repo2","created_at":"2023-03-05T14:09:02.232+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T16:37:04.590+0000","org":"Organization10","created_at":"2023-03-06T16:37:04.590+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T04:04:21.877+0000","org":"Organization1","created_at":"2023-03-02T04:04:21.877+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User4","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T00:27:21.040+0000","org":"Organization9","created_at":"2023-03-03T00:27:21.040+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User1","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T20:05:39.354+0000","org":"Organization9","hook_id":"303999727","name":"webhook","created_at":"2023-03-03T20:05:39.354+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T23:29:08.127+0000","visibility":"internal","org":"Organization7","created_at":"2023-03-04T23:29:08.127+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T14:09:33.045+0000","org":"Organization7","created_at":"2023-03-07T14:09:33.045+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-02T00:36:27.260+0000","org":"Organization2","created_at":"2023-03-02T00:36:27.260+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User1","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T04:01:04.138+0000","org":"Organization10","created_at":"2023-03-02T04:01:04.138+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-01T18:50:35.221+0000","org":"Organization1","created_at":"2023-03-01T18:50:35.221+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User5","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T15:47:42.876+0000","org":"Organization2","repo":"Organization2/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo6","repository_public":"false","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-01T18:06:04.553+0000","visibility":"public","org":"Organization7","repo":"Organization7/Repo3","created_at":"2023-03-01T18:06:04.553+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T20:36:21.638+0000","visibility":"public","org":"Organization9","repo":"Organization9/Repo9","created_at":"2023-03-05T20:36:21.638+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization2","created_at":"2023-03-02T22:34:36.982+0000","active":"true","actor":"User4","@timestamp":"2023-03-02T22:34:36.982+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T22:12:40.550+0000","org":"Organization7","created_at":"2023-03-03T22:12:40.550+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User2","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T11:37:11.343+0000","org":"Organization6","created_at":"2023-03-06T11:37:11.343+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T02:56:12.249+0000","org":"Organization3","created_at":"2023-03-07T02:56:12.249+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T15:07:00.089+0000","org":"Organization8","created_at":"2023-03-06T15:07:00.089+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User8","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization1","created_at":"2023-03-04T06:25:40.633+0000","active":"true","actor":"User2","@timestamp":"2023-03-04T06:25:40.633+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T01:33:51.305+0000","visibility":"internal","org":"Organization9","created_at":"2023-03-06T01:33:51.305+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T23:51:40.440+0000","visibility":"internal","org":"Organization9","created_at":"2023-03-06T23:51:40.440+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T19:19:46.766+0000","org":"Organization10","repo":"Organization10/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo6","repository_public":"true","actor":"User3"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T22:30:05.292+0000","org":"Organization10","created_at":"2023-03-04T22:30:05.292+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User4","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T05:06:51.729+0000","org":"Organization9","hook_id":"303999727","name":"webhook","created_at":"2023-03-06T05:06:51.729+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T10:47:33.650+0000","visibility":"public","org":"Organization8","repo":"Organization8/Repo4","created_at":"2023-03-05T10:47:33.650+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T17:54:00.406+0000","org":"Organization2","created_at":"2023-03-07T17:54:00.406+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User1","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T03:35:01.035+0000","org":"Organization4","repo":"Organization4/Repo5","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-04T03:57:23.632+0000","org":"Organization4","created_at":"2023-03-04T03:57:23.632+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T06:00:29.832+0000","org":"Organization7","created_at":"2023-03-07T06:00:29.832+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T03:45:09.229+0000","org":"Organization3","repo":"Organization3/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo10","repository_public":"false","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T16:32:15.307+0000","org":"Organization5","created_at":"2023-03-02T16:32:15.307+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User5","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-08T05:36:43.704+0000","org":"Organization3","created_at":"2023-03-08T05:36:43.704+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User1","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T11:33:11.442+0000","org":"Organization1","created_at":"2023-03-06T11:33:11.442+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T23:20:51.735+0000","org":"Organization3","created_at":"2023-03-06T23:20:51.735+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User1","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T20:46:36.211+0000","org":"Organization6","repo":"Organization6/Repo10","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo4","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T22:07:40.569+0000","org":"Organization2","created_at":"2023-03-07T22:07:40.569+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T08:41:15.267+0000","org":"Organization9","created_at":"2023-03-04T08:41:15.267+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User4","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T08:22:51.409+0000","org":"Organization1","repo":"Organization1/Repo4","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo10","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-06T00:39:33.991+0000","org":"Organization10","created_at":"2023-03-06T00:39:33.991+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User5","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-08T11:06:55.521+0000","org":"Organization5","created_at":"2023-03-08T11:06:55.521+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User3","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T12:46:41.263+0000","org":"Organization8","repo":"Organization8/Repo8","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo5","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T14:27:43.668+0000","visibility":"internal","org":"Organization10","created_at":"2023-03-05T14:27:43.668+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-08T07:51:10.471+0000","visibility":"private","org":"Organization4","repo":"Organization4/Repo7","created_at":"2023-03-08T07:51:10.471+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T19:46:11.810+0000","org":"Organization3","created_at":"2023-03-06T19:46:11.810+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T17:49:48.322+0000","visibility":"private_internal","org":"Organization2","created_at":"2023-03-02T17:49:48.322+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T17:36:31.725+0000","visibility":"private","org":"Organization6","repo":"Organization6/Repo8","created_at":"2023-03-04T17:36:31.725+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T02:50:17.111+0000","org":"Organization4","created_at":"2023-03-03T02:50:17.111+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User4","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T17:51:43.700+0000","org":"Organization4","repo":"Organization4/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo8","repository_public":"false","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-08T10:14:35.875+0000","org":"Organization1","created_at":"2023-03-08T10:14:35.875+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User8","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-02T06:34:34.181+0000","org":"Organization7","hook_id":"303999727","name":"webhook","created_at":"2023-03-02T06:34:34.181+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T20:23:15.809+0000","org":"Organization5","repo":"Organization5/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo8","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-08T09:07:05.294+0000","org":"Organization4","repo":"Organization4/Repo2","created_at":"2023-03-08T09:07:05.294+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T00:55:56.837+0000","org":"Organization10","repo":"Organization10/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo2","repository_public":"false","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T21:08:25.563+0000","org":"Organization4","created_at":"2023-03-05T21:08:25.563+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User1","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T05:21:55.390+0000","org":"Organization5","created_at":"2023-03-02T05:21:55.390+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User4","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-04T23:08:31.868+0000","org":"Organization4","created_at":"2023-03-04T23:08:31.868+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T03:19:51.711+0000","visibility":"internal","org":"Organization2","created_at":"2023-03-07T03:19:51.711+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T06:51:45.716+0000","org":"Organization10","created_at":"2023-03-06T06:51:45.716+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User7","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-04T07:54:03.907+0000","org":"Organization2","created_at":"2023-03-04T07:54:03.907+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User7","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T17:32:12.024+0000","org":"Organization2","created_at":"2023-03-07T17:32:12.024+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User7","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T20:08:17.699+0000","org":"Organization9","created_at":"2023-03-04T20:08:17.699+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User7","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T16:37:17.634+0000","org":"Organization9","repo":"Organization9/Repo4","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo3","repository_public":"false","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T17:11:10.892+0000","org":"Organization8","created_at":"2023-03-01T17:11:10.892+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User7","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-08T05:35:38.190+0000","org":"Organization1","created_at":"2023-03-08T05:35:38.190+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User3","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T03:08:22.732+0000","org":"Organization7","repo":"Organization7/Repo8","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo10","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T21:10:02.146+0000","org":"Organization10","created_at":"2023-03-06T21:10:02.146+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User4","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T01:44:04.559+0000","org":"Organization3","created_at":"2023-03-03T01:44:04.559+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User3","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-05T19:12:25.369+0000","org":"Organization3","created_at":"2023-03-05T19:12:25.369+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User7","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-01T17:39:04.605+0000","org":"Organization9","created_at":"2023-03-01T17:39:04.605+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T19:57:19.364+0000","org":"Organization7","repo":"Organization7/Repo10","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo8","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-07T01:39:12.392+0000","visibility":"private","org":"Organization10","repo":"Organization10/Repo10","created_at":"2023-03-07T01:39:12.392+0000","action":"repo.create","actor_location":{"country_code":"CA"},"_document_id":"AcrdSmMW0PpEEmuGWiTcoQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization3","created_at":"2023-03-04T12:58:03.493+0000","active":"true","actor":"User9","@timestamp":"2023-03-04T12:58:03.493+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T07:50:53.028+0000","org":"Organization10","repo":"Organization10/Repo1","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo9","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T11:40:20.118+0000","org":"Organization7","created_at":"2023-03-05T11:40:20.118+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-07T18:06:18.818+0000","org":"Organization2","created_at":"2023-03-07T18:06:18.818+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T18:47:14.472+0000","org":"Organization7","hook_id":"303999727","name":"webhook","created_at":"2023-03-07T18:47:14.472+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T17:37:57.738+0000","org":"Organization2","created_at":"2023-03-03T17:37:57.738+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User8","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":2,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T21:43:34.795+0000","visibility":"public","org":"Organization1","repo":"Organization1/Repo7","created_at":"2023-03-05T21:43:34.795+0000","action":"repo.create","actor_location":{"country_code":"ES"},"_document_id":"oLAjZ_DbHvzZlPmRCXr4MA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T08:50:26.544+0000","visibility":"private","org":"Organization10","repo":"Organization10/Repo6","created_at":"2023-03-06T08:50:26.544+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T10:22:21.957+0000","org":"Organization4","created_at":"2023-03-03T10:22:21.957+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User1","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-04T08:56:19.285+0000","org":"Organization9","created_at":"2023-03-04T08:56:19.285+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User10","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-04T13:35:33.208+0000","org":"Organization5","created_at":"2023-03-04T13:35:33.208+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User4","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T10:14:23.224+0000","org":"Organization3","created_at":"2023-03-04T10:14:23.224+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User10","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T08:32:22.418+0000","org":"Organization6","created_at":"2023-03-04T08:32:22.418+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User8","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T09:59:00.418+0000","org":"Organization3","created_at":"2023-03-03T09:59:00.418+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-06T18:21:30.052+0000","org":"Organization8","created_at":"2023-03-06T18:21:30.052+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User5","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T12:26:23.897+0000","org":"Organization1","created_at":"2023-03-07T12:26:23.897+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User7","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T10:19:25.038+0000","org":"Organization5","created_at":"2023-03-02T10:19:25.038+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User1","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization6","created_at":"2023-03-06T04:50:26.278+0000","active":"true","actor":"User9","@timestamp":"2023-03-06T04:50:26.278+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T00:15:03.363+0000","visibility":"private_internal","org":"Organization5","created_at":"2023-03-05T00:15:03.363+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-01T14:05:03.676+0000","org":"Organization6","created_at":"2023-03-01T14:05:03.676+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T00:15:24.768+0000","org":"Organization1","repo":"Organization1/Repo1","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo2","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-02T14:24:02.138+0000","org":"Organization7","created_at":"2023-03-02T14:24:02.138+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T01:07:48.953+0000","org":"Organization3","created_at":"2023-03-06T01:07:48.953+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User2","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T19:29:51.252+0000","org":"Organization9","created_at":"2023-03-02T19:29:51.252+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T20:47:26.010+0000","org":"Organization6","created_at":"2023-03-02T20:47:26.010+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User6","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-01T18:17:35.992+0000","org":"Organization2","created_at":"2023-03-01T18:17:35.992+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User9","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T14:26:50.436+0000","org":"Organization3","created_at":"2023-03-07T14:26:50.436+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User4","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":7,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T04:39:23.420+0000","org":"Organization4","repo":"Organization4/Repo6","actor_location":{"country_code":"FR"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo8","repository_public":"true","actor":"User5"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-07T18:41:09.212+0000","visibility":"private","org":"Organization10","repo":"Organization10/Repo9","created_at":"2023-03-07T18:41:09.212+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T15:07:21.114+0000","org":"Organization9","repo":"Organization9/Repo8","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo4","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T00:55:26.907+0000","org":"Organization8","repo":"Organization8/Repo3","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo10","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-03T01:04:57.122+0000","org":"Organization8","repo":"Organization8/Repo2","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo1","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-03T21:53:57.121+0000","org":"Organization2","created_at":"2023-03-03T21:53:57.121+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T20:55:46.963+0000","visibility":"private","org":"Organization6","repo":"Organization6/Repo9","created_at":"2023-03-07T20:55:46.963+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T01:19:06.591+0000","visibility":"internal","org":"Organization9","created_at":"2023-03-05T01:19:06.591+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"s96ibVD5sEyRDxYgQ8gKhQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-07T04:16:41.373+0000","org":"Organization9","created_at":"2023-03-07T04:16:41.373+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User8","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T17:08:27.855+0000","org":"Organization10","repo":"Organization10/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization10/Repo7","repository_public":"false","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T11:22:30.513+0000","org":"Organization6","created_at":"2023-03-03T11:22:30.513+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User4","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T02:00:50.140+0000","org":"Organization2","created_at":"2023-03-07T02:00:50.140+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T08:20:46.325+0000","org":"Organization1","created_at":"2023-03-06T08:20:46.325+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User2","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T00:12:53.369+0000","org":"Organization9","created_at":"2023-03-02T00:12:53.369+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User3","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T15:22:50.229+0000","org":"Organization5","created_at":"2023-03-03T15:22:50.229+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User6","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-01T23:14:28.726+0000","visibility":"private_internal","org":"Organization5","created_at":"2023-03-01T23:14:28.726+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T06:53:46.625+0000","org":"Organization5","created_at":"2023-03-06T06:53:46.625+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User8","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-06T01:32:41.587+0000","org":"Organization5","created_at":"2023-03-06T01:32:41.587+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User7","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-05T23:02:54.887+0000","org":"Organization2","created_at":"2023-03-05T23:02:54.887+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User2","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-08T04:10:27.198+0000","org":"Organization3","repo":"Organization3/Repo2","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo4","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update member repository creation permission.","id":"91233","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-05T08:18:02.335+0000","visibility":"private_internal","org":"Organization10","created_at":"2023-03-05T08:18:02.335+0000","action":"org.update_member_repository_creation_permission","actor_location":{"country_code":"ES"},"_document_id":"CAwbh8KpE75aa0ajCpRISw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-03T23:31:14.452+0000","org":"Organization10","created_at":"2023-03-03T23:31:14.452+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User10","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-02T21:02:26.928+0000","visibility":"private","org":"Organization5","repo":"Organization5/Repo3","created_at":"2023-03-02T21:02:26.928+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-08T11:06:47.342+0000","org":"Organization10","created_at":"2023-03-08T11:06:47.342+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User8","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-08T02:28:37.997+0000","org":"Organization8","created_at":"2023-03-08T02:28:37.997+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-05T10:16:35.379+0000","org":"Organization2","repo":"Organization2/Repo3","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo10","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-03T01:03:45.303+0000","org":"Organization5","repo":"Organization5/Repo2","created_at":"2023-03-03T01:03:45.303+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User9","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Organization disable member team creation permission.","id":"91198","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-05T00:54:09.273+0000","org":"Organization5","created_at":"2023-03-05T00:54:09.273+0000","action":"org.disable_member_team_creation_permission","actor_location":{"country_code":"SE"},"user":"User2","_document_id":"ppjVxGQBAQts82at9Az3XQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Private repository forking enable.","id":"91273","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T22:10:46.421+0000","org":"Organization3","created_at":"2023-03-07T22:10:46.421+0000","action":"private_repository_forking.enable","actor_location":{"country_code":"AR"},"user":"User1","_document_id":"NZWBrO2Ac02LnG3TFeEykA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-01T21:59:55.679+0000","org":"Organization2","created_at":"2023-03-01T21:59:55.679+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User4","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T23:14:13.853+0000","org":"Organization1","created_at":"2023-03-03T23:14:13.853+0000","action":"members_can_create_private_pages.enable","actor_location":{"country_code":"GR"},"user":"User9","_document_id":"sSbImF40N-hLe0mfDHkfMg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team remove member.","id":"91401","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T22:20:36.420+0000","org":"Organization9","created_at":"2023-03-02T22:20:36.420+0000","action":"team.remove_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/backend","user":"User1","_document_id":"PYn3TOghg5FYze673svhgw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-08T03:13:36.417+0000","org":"Organization4","created_at":"2023-03-08T03:13:36.417+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User3","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T02:23:40.653+0000","org":"Organization3","repo":"Organization3/Repo3","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo1","repository_public":"false","actor":"User6"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-07T19:11:56.593+0000","org":"Organization10","created_at":"2023-03-07T19:11:56.593+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-06T13:13:21.168+0000","org":"Organization8","created_at":"2023-03-06T13:13:21.168+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T14:33:23.768+0000","org":"Organization3","created_at":"2023-03-04T14:33:23.768+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User6","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-03T01:42:17.305+0000","org":"Organization5","created_at":"2023-03-03T01:42:17.305+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User5","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T06:37:52.094+0000","org":"Organization2","repo":"Organization2/Repo2","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo6","repository_public":"false","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T06:37:27.854+0000","visibility":"private","org":"Organization9","repo":"Organization9/Repo6","created_at":"2023-03-07T06:37:27.854+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-05T20:43:44.408+0000","org":"Organization10","created_at":"2023-03-05T20:43:44.408+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-01T20:29:54.637+0000","org":"Organization4","created_at":"2023-03-01T20:29:54.637+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User8","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-02T23:36:09.892+0000","org":"Organization2","created_at":"2023-03-02T23:36:09.892+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User10","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-04T03:13:43.460+0000","org":"Organization8","created_at":"2023-03-04T03:13:43.460+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T19:06:18.938+0000","org":"Organization8","created_at":"2023-03-01T19:06:18.938+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User8","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T06:04:11.655+0000","org":"Organization7","created_at":"2023-03-04T06:04:11.655+0000","action":"org.audit_log_git_event_export","actor_location":{"country_code":"SE"},"_document_id":"vkV52PbNTZPJRRNLuOZcuw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-01T21:07:42.745+0000","org":"Organization7","created_at":"2023-03-01T21:07:42.745+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-05T07:49:36.844+0000","visibility":"private","org":"Organization8","repo":"Organization8/Repo4","created_at":"2023-03-05T07:49:36.844+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-08T11:26:47.969+0000","org":"Organization4","created_at":"2023-03-08T11:26:47.969+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"cC4uIXPNDz1O1G21Vjs8Vw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":5,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T23:41:46.646+0000","org":"Organization1","repo":"Organization1/Repo3","actor_location":{"country_code":"SE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo2","repository_public":"true","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-02T01:39:02.286+0000","org":"Organization6","created_at":"2023-03-02T01:39:02.286+0000","action":"members_can_create_private_pages.disable","actor_location":{"country_code":"CA"},"user":"User10","_document_id":"0rtyFg2GD2-oJyJsOtRZ_A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T01:16:30.773+0000","org":"Organization3","created_at":"2023-03-04T01:16:30.773+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User6","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T15:21:32.945+0000","org":"Organization5","created_at":"2023-03-02T15:21:32.945+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User4","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T09:34:45.618+0000","org":"Organization2","created_at":"2023-03-06T09:34:45.618+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User3","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T00:36:29.304+0000","org":"Organization8","repo":"Organization8/Repo7","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo3","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T01:53:26.844+0000","org":"Organization2","created_at":"2023-03-03T01:53:26.844+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User4","_document_id":"0Z4NBBhHM2T4gEuWziZfvQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git fetch.","id":"91159","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T12:43:36.576+0000","org":"Organization9","repo":"Organization9/Repo9","actor_location":{"country_code":"MX"},"action":"git.fetch","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo4","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook events changed.","id":"91165","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"org":"Organization10","created_at":"2023-03-03T17:12:27.476+0000","active":"true","actor":"User9","@timestamp":"2023-03-03T17:12:27.476+0000","hook_id":"303999727","name":"webhook","action":"hook.events_changed","actor_location":{"country_code":"SE"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://server/webhook"},"events":["push","create","deployment","fork","issues"],"_document_id":"Ba9NJbFnSfJB1zGEn29asw","events_were":["push"]}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T02:21:29.156+0000","org":"Organization5","created_at":"2023-03-02T02:21:29.156+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-01T23:39:17.024+0000","org":"Organization3","created_at":"2023-03-01T23:39:17.024+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User6","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T15:16:41.584+0000","org":"Organization10","created_at":"2023-03-07T15:16:41.584+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":3,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-04T21:00:11.729+0000","org":"Organization4","created_at":"2023-03-04T21:00:11.729+0000","action":"org.disable_reader_discussion_creation_permission","actor_location":{"country_code":"US"},"user":"User8","_document_id":"JQ3JAd3zHmpRpGZYJsJIQw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team create.","id":"91397","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-06T17:25:36.477+0000","org":"Organization1","created_at":"2023-03-06T17:25:36.477+0000","action":"team.create","actor_location":{"country_code":"SE"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"Qf6RhFYhb7ysdV8K8ukYFw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T06:48:07.572+0000","org":"Organization9","repo":"Organization9/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo3","repository_public":"false","actor":"User8"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Team destroy.","id":"91399","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-01T19:27:32.074+0000","org":"Organization4","created_at":"2023-03-01T19:27:32.074+0000","action":"team.destroy","actor_location":{"country_code":"IN"},"team":"_ORGANIZATION_/_REPOSITORY_","_document_id":"ZLC0q4Ka_R4gGw3gWgxc3w"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-01T16:08:12.202+0000","org":"Organization10","created_at":"2023-03-01T16:08:12.202+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"DE"},"_document_id":"BHpvG7xc2bTNW3ME3nAgDw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization display commenter full name enabled.","id":"91202","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-06T10:55:08.811+0000","org":"Organization2","created_at":"2023-03-06T10:55:08.811+0000","action":"org.display_commenter_full_name_enabled","actor_location":{"country_code":"MX"},"user":"User1","_document_id":"o-Edi8owvz1iPv78RPPSJw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T11:22:57.020+0000","org":"Organization4","repo":"Organization4/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo10","repository_public":"false","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Dependency graph new repos enable.","id":"91131","firedtimes":1,"mail":false,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-06T10:17:40.150+0000","org":"Organization8","created_at":"2023-03-06T10:17:40.150+0000","action":"dependency_graph_new_repos.enable","actor_location":{"country_code":"GR"},"user":"User2","_document_id":"2Az9XCqb-Fe8k0KkLQlk0A"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-01T13:44:39.321+0000","org":"Organization9","created_at":"2023-03-01T13:44:39.321+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User3","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-02T19:17:19.939+0000","org":"Organization1","created_at":"2023-03-02T19:17:19.939+0000","action":"org.enable_reader_discussion_creation_permission","actor_location":{"country_code":"MX"},"user":"User8","_document_id":"5KmA_VkQPn3I6gY4L8qFPA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T06:45:23.026+0000","org":"Organization5","repo":"Organization5/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization5/Repo9","repository_public":"false","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":2,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T01:04:13.475+0000","org":"Organization10","created_at":"2023-03-05T01:04:13.475+0000","action":"issues.deletes_disabled","actor_location":{"country_code":"DE"},"user":"User2","_document_id":"T2hgq3r3yVD23Np6CAD-zQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":2,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T16:44:09.317+0000","org":"Organization8","created_at":"2023-03-05T16:44:09.317+0000","action":"team.add_member","actor_location":{"country_code":"MX"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User9","_document_id":"T6DZ-t0-a9yQShoBbUxc_g"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-02T16:57:13.738+0000","org":"Organization2","repo":"Organization2/Repo9","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-03T09:49:35.322+0000","org":"Organization9","repo":"Organization9/Repo5","actor_location":{"country_code":"DE"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization9/Repo2","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T02:35:42.853+0000","org":"Organization9","created_at":"2023-03-04T02:35:42.853+0000","action":"org.audit_log_export","actor_location":{"country_code":"GR"},"_document_id":"ElEQJvOCnhWZ2mVpjzYOMw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-06T01:40:20.265+0000","org":"Organization2","repo":"Organization2/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo7","repository_public":"true","actor":"User4"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Generic rule.","id":"91449","firedtimes":3,"mail":false,"groups":["github","git"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User4","@timestamp":"2023-03-03T15:35:51.255+0000","org":"Organization2","created_at":"2023-03-03T15:35:51.255+0000","action":"repository_visibility_change.enable","actor_location":{"country_code":"ES"},"user":"User7","_document_id":"dWJ-7ZR6DdumQeu01PAGig"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Repo create.","id":"91318","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-07T12:07:21.548+0000","visibility":"private","org":"Organization5","repo":"Organization5/Repo6","created_at":"2023-03-07T12:07:21.548+0000","action":"repo.create","actor_location":{"country_code":"FR"},"_document_id":"fXwGe7IW-BX8Ze64V_AORg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-03T11:46:41.654+0000","org":"Organization6","repo":"Organization6/Repo3","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo7","repository_public":"false","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Hook create.","id":"91162","firedtimes":1,"mail":false,"groups":["github","git","git_hook"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-03T07:25:05.633+0000","org":"Organization7","hook_id":"303999727","name":"webhook","created_at":"2023-03-03T07:25:05.633+0000","action":"hook.create","active":"true","actor_location":{"country_code":"MX"},"config":{"content_type":"json","insecure_ssl":"0","secret":"********","url":"https://my_web/notifications/webhook"},"events":["push"],"_document_id":"SSlObiXNNtzQzxFooK4-fw"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-01T22:51:09.810+0000","org":"Organization4","repo":"Organization4/Repo5","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo6","repository_public":"true","actor":"User1"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T16:19:41.005+0000","org":"Organization6","repo":"Organization6/Repo1","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization6/Repo9","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T14:16:53.891+0000","org":"Organization1","created_at":"2023-03-04T14:16:53.891+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User10","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":6,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T07:11:54.417+0000","org":"Organization1","repo":"Organization1/Repo9","actor_location":{"country_code":"US"},"action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization1/Repo8","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":3,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-07T23:08:20.262+0000","org":"Organization2","repo":"Organization2/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo5","repository_public":"true","actor":"User2"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"GitHub Organization update default repository permission.","id":"91231","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-07T05:26:24.228+0000","org":"Organization10","created_at":"2023-03-07T05:26:24.228+0000","action":"org.update_default_repository_permission","actor_location":{"country_code":"MX"},"_document_id":"t5ZumMJeWBs2CqZT-n4JNA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-05T19:28:08.807+0000","org":"Organization2","repo":"Organization2/Repo4","created_at":"2023-03-05T19:28:08.807+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User5","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-04T04:36:08.236+0000","visibility":"private","org":"Organization9","repo":"Organization9/Repo5","created_at":"2023-03-04T04:36:08.236+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-02T13:49:03.843+0000","org":"Organization3","repo":"Organization3/Repo5","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization3/Repo4","repository_public":"true","actor":"User10"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization audit log export.","id":"91193","firedtimes":2,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User9","@timestamp":"2023-03-04T01:40:56.329+0000","org":"Organization7","created_at":"2023-03-04T01:40:56.329+0000","action":"org.audit_log_export","actor_location":{"country_code":"SE"},"_document_id":"gwkccTbAcX2WujhEXS3r0Q"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":1,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T22:59:24.521+0000","org":"Organization1","created_at":"2023-03-07T22:59:24.521+0000","action":"team.add_member","actor_location":{"country_code":"DE"},"team":"_ORGANIZATION_/_REPOSITORY_","user":"User5","_document_id":"Hi6dpYdi9G5PrEqqTkEYnA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-01T17:09:07.546+0000","org":"Organization1","created_at":"2023-03-01T17:09:07.546+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User8","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Organization.","id":"91188","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User8","@timestamp":"2023-03-04T02:19:06.899+0000","org":"Organization6","created_at":"2023-03-04T02:19:06.899+0000","action":"org.display_commenter_full_name_disabled","actor_location":{"country_code":"MX"},"user":"User5","_document_id":"OxJjqpug2FM8RJuzE1CZpA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T04:07:39.813+0000","org":"Organization8","repo":"Organization8/Repo8","created_at":"2023-03-05T04:07:39.813+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User10","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Repository vulnerability alerts disable.","id":"91367","firedtimes":1,"mail":true,"groups":["github","git","git_repository_vulnerability_alerts"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-05T10:53:02.520+0000","org":"Organization1","repo":"Organization1/Repo10","created_at":"2023-03-05T10:53:02.520+0000","action":"repository_vulnerability_alerts.disable","actor_location":{"country_code":"US"},"user":"User1","_document_id":"wgf0uCen5LG4su6jQ2xKDA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"GitHub Repo destroy.","id":"91320","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T21:14:17.564+0000","visibility":"private","org":"Organization7","repo":"Organization7/Repo10","created_at":"2023-03-07T21:14:17.564+0000","action":"repo.destroy","actor_location":{"country_code":"AR"},"_document_id":"H-bRCuWh_FAoZxzW8BV9JA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-05T19:12:23.640+0000","org":"Organization8","repo":"Organization8/Repo7","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization8/Repo10","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Private repository forking disable.","id":"91274","firedtimes":1,"mail":false,"groups":["github","git","git_private_repository_forking"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-03T11:07:58.755+0000","org":"Organization9","created_at":"2023-03-03T11:07:58.755+0000","action":"private_repository_forking.disable","actor_location":{"country_code":"GR"},"user":"User8","_document_id":"5EkgWPa8Du6ZJ_5oOfU_rg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Issues.","id":"91169","firedtimes":1,"mail":false,"groups":["github","git","git_issues"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User7","@timestamp":"2023-03-06T16:35:01.062+0000","org":"Organization8","created_at":"2023-03-06T16:35:01.062+0000","action":"issues.deletes_enabled","actor_location":{"country_code":"IN"},"user":"User1","_document_id":"gWT0UNMVFaI8ZPB3tGGsew"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":1,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User1","@timestamp":"2023-03-07T20:29:32.687+0000","org":"Organization2","repo":"Organization2/Repo8","actor_location":{"country_code":"AR"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization2/Repo7","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-07T21:17:00.743+0000","org":"Organization1","created_at":"2023-03-07T21:17:00.743+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User4","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User6","@timestamp":"2023-03-02T15:03:25.633+0000","org":"Organization10","created_at":"2023-03-02T15:03:25.633+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User10","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":4,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-08T04:20:08.974+0000","org":"Organization7","repo":"Organization7/Repo7","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo8","repository_public":"true","actor":"User7"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git push.","id":"91160","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User2","@timestamp":"2023-03-03T10:28:45.648+0000","org":"Organization7","repo":"Organization7/Repo4","actor_location":{"country_code":"CA"},"action":"git.push","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization7/Repo4","repository_public":"false"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Team add member.","id":"91393","firedtimes":3,"mail":false,"groups":["github","git","git_team"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User5","@timestamp":"2023-03-05T20:32:40.338+0000","org":"Organization10","created_at":"2023-03-05T20:32:40.338+0000","action":"team.add_member","actor_location":{"country_code":"FR"},"team":"_ORGANIZATION_/backend","user":"User5","_document_id":"z4qIP_kjzjnilIhL8ak0mg"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"GitHub Dependency graph new repos disable.","id":"91130","firedtimes":1,"mail":true,"groups":["github","git","git_dependency_graph_new_repos"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User10","@timestamp":"2023-03-06T16:03:04.582+0000","org":"Organization7","created_at":"2023-03-06T16:03:04.582+0000","action":"dependency_graph_new_repos.disable","actor_location":{"country_code":"US"},"user":"User2","_document_id":"TzBGANy3SmrnxI8GW9bpQA"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"GitHub Organization enable member team creation permission.","id":"91203","firedtimes":1,"mail":false,"groups":["github","git","git_org"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"actor":"User3","@timestamp":"2023-03-05T15:12:28.968+0000","org":"Organization1","created_at":"2023-03-05T15:12:28.968+0000","action":"org.enable_member_team_creation_permission","actor_location":{"country_code":"DE"},"user":"User9","_document_id":"sd2fnKW-Jc_OZI9xm2pyyQ"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"GitHub Git clone.","id":"91158","firedtimes":2,"mail":false,"groups":["github","git","git_git"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"github":{"@timestamp":"2023-03-04T14:00:42.067+0000","org":"Organization4","repo":"Organization4/Repo9","action":"git.clone","transport_protocol_name":"http","transport_protocol":"1","repository":"Organization4/Repo4","repository_public":"false","actor":"User9"}},"location":"github"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T00:46:37.121Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"SiteDeleted","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SearchAlert","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":52,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-27T08:17:28.342Z","ResultStatus":"Failed","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T07:06:46.087Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"ValidaterbacAccessCheck","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":52,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T07:49:11.019Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T21:10:26.671Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"FileModified","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"brown@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T13:14:27.318Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T22:33:24.837Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SearchAlertAggregate","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T20:37:22.557Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SiteCollectionAdminRemoved","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":14,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T07:35:13.589Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-ComplianceSearch","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Succeeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T12:09:28.723Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Set-User","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"brown@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T20:24:37.821Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"UserLoggedIn","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"77.231.182.17","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T20:45:23.021Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"AddedToGroup","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":14,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:53:57.290Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-ComplianceSearchAction","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Failed","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T13:27:05.106Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"PagePrefetched","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:27:42.117Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"ListViewed","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":36,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T00:55:05.223Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ClientViewSignaled","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T19:00:36.971Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"AddedToGroup","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":14,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"jones@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T03:28:09.277Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-ComplianceSearch","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T23:39:15.098Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Set-Mailbox","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":1,"ResultStatus":"Failed","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T20:09:04.734Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"ValidaterbacAccessCheck","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":52,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T20:10:23.112Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SiteCollectionAdminRemoved","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":14,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T23:34:58.261Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceSearch","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"Failed","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T17:32:47.665Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T19:34:11.900Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"AddedToGroup","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":14,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"smith@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T03:15:51.811Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T02:30:56.556Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"UserLoggedIn","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":15,"ResultStatus":"Succeeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"108.177.13.101","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T22:22:12.371Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SiteDeleted","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":6,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T13:54:05.166Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"SiteDeleted","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":6,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T05:58:26.924Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Create","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":2,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"jones@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T23:45:45.923Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Set-Mailbox","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":1,"ResultStatus":"Failed","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T21:25:01.085Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Set-Mailbox","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":1,"ResultStatus":"Succeeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:02:39.456Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SiteCollectionAdminAdded","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":14,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T16:53:01.447Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Remove-UnifiedGroup","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":1,"ResultStatus":"Failed","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T07:31:44.083Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T09:27:18.812Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SiteCollectionCreated","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":4,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T03:37:09.918Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"PagePrefetched","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":4,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"smith@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T00:43:17.540Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Change user license.","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T04:43:59.660Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"ValidaterbacAccessCheck","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":52,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T17:27:39.164Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ModifyFolderPermissions","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":2,"ResultStatus":"Failed","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SearchDataInsightsSubscription","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-03T23:29:03.439Z","ResultStatus":"Failed","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T09:50:18.960Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SearchAlertAggregate","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":52,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T14:02:59.910Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ValidaterbacAccessCheck","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T00:01:37.094Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":14,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T22:29:30.806Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"FileModified","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T09:57:20.687Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Update user.","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T22:52:24.254Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"ListUpdated","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":36,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T16:33:07.603Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Create","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"jones@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T20:00:54.260Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SiteCollectionAdminRemoved","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":14,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T13:52:11.094Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"PageViewed","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"jones@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T20:43:09.725Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"FileAccessedExtended","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T07:44:25.784Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewReport","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T17:18:25.788Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"Succeeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T06:49:12.457Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"FileAccessedExtended","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"smith@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SearchDataInsightsSubscription","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":52,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-03T04:49:28.282Z","ResultStatus":"Failed","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T00:59:39.723Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-ComplianceTag","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T05:10:13.282Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"ModifyFolderPermissions","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":2,"ResultStatus":"Succeeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","UserId":"jones@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T17:43:42.267Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Set-UnifiedGroup","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":1,"ResultStatus":"Succeeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T11:50:26.988Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"FileAccessed","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":6,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SearchAlert","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":52,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-04T05:50:04.483Z","ResultStatus":"PartiallySucceeded","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T09:41:35.350Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"PageViewed","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":4,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SearchDataInsightsSubscription","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-02-28T13:19:23.715Z","ResultStatus":"PartiallySucceeded","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:14:31.066Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T00:34:55.302Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"PageViewedExtended","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"frank@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SearchAlert","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":52,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-26T14:26:36.339Z","ResultStatus":"PartiallySucceeded","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T03:05:19.834Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceSearchAction","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T00:44:07.359Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SearchAlertAggregate","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":52,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T01:38:07.602Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SiteCollectionAdminRemoved","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":14,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:42:28.544Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Remove-UnifiedGroup","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":1,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"smith@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T00:14:02.841Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SiteDeleted","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"williams@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T23:29:31.563Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Set-Mailbox","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T09:18:31.368Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"FileAccessed","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":6,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T17:28:06.634Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-ComplianceTag","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"Failed","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T01:56:31.823Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Set-User","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":1,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T16:06:23.002Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"ClientViewSignaled","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T21:53:03.044Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"ClientViewSignaled","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SearchDataInsightsSubscription","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-02-28T11:25:48.308Z","ResultStatus":"PartiallySucceeded","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T05:28:46.322Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"Failed","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:45:41.976Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T05:21:01.294Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"FileAccessed","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":6,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T22:21:46.989Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Remove-UnifiedGroup","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":1,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T04:53:34.911Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"FileAccessed","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T07:09:57.765Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":14,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T05:19:12.512Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T09:42:25.592Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"ModifyFolderPermissions","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":2,"ResultStatus":"Succeeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchAlert","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":52,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-27T10:32:49.266Z","ResultStatus":"Failed","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T10:37:11.102Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchAlertAggregate","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T15:53:26.590Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Set-Mailbox","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":1,"ResultStatus":"Failed","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:06:32.940Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T16:53:10.904Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Create","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":2,"ResultStatus":"Failed","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"jones@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T21:09:16.022Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SharingPolicyChanged","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.2","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T09:06:20.395Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T01:50:16.316Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Change user license.","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T07:06:00.752Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"SiteCollectionAdminAdded","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":14,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T14:38:34.633Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"UserLoggedIn","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T07:49:08.469Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"SharingPolicyChanged","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T10:16:25.749Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"PageViewed","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T08:19:03.934Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-ComplianceSearch","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Failed","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T14:03:52.563Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Set-User","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"frank@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:23:37.930Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T08:59:08.505Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Change user license.","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T10:25:08.273Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T18:00:34.371Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-ComplianceSearch","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"Failed","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T16:15:54.019Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T19:56:30.832Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SiteCollectionCreated","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T20:06:44.631Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Set-User","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":1,"ResultStatus":"Failed","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:53:52.415Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SharingPolicyChanged","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T17:28:07.307Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SiteDeleted","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":6,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"smith@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:55:49.198Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"ListUpdated","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":36,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T07:46:19.928Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T01:16:19.685Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"ModifyFolderPermissions","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T06:25:54.159Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Create","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":2,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:13:21.808Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"ModifyFolderPermissions","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T05:51:14.751Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"FileModified","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":6,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"jones@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T12:08:42.494Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SharingPolicyChanged","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":4,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T16:00:45.038Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:14:17.341Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Remove-UnifiedGroup","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:14:31.041Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-SupervisoryReviewReport","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T13:14:57.265Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-ComplianceSearchAction","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"Failed","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T05:10:37.560Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"UserLoggedIn","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":15,"ResultStatus":"Failed","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.2","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T07:11:58.040Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SiteCollectionAdminAdded","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":14,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T20:49:11.016Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"ValidaterbacAccessCheck","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":52,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T07:00:52.825Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"UserLoggedIn","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"140.82.113.3","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T20:10:46.807Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SiteCollectionCreated","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":4,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T08:58:15.194Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:16:21.542Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Change user license.","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":8,"ResultStatus":"Failed","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T17:39:32.575Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"UserLoggedIn","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":15,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.2","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T18:36:11.702Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T04:51:00.774Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"FileAccessed","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SearchDataInsightsSubscription","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":52,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-02T01:27:55.831Z","ResultStatus":"Failed","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T09:05:26.925Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Set-User","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":1,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"williams@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T14:28:13.748Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SearchAlertAggregate","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":52,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T14:47:46.359Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Set-UnifiedGroup","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T12:07:49.684Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"UserLoggedIn","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"108.177.13.101","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:57:58.005Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"AddedToGroup","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":14,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"williams@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T08:11:07.137Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Remove-UnifiedGroup","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":1,"ResultStatus":"Failed","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"smith@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T17:26:04.888Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Set-Mailbox","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"108.177.13.101","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T11:36:51.755Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T00:32:40.380Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"ClientViewSignaled","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"smith@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T15:15:56.581Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Update user.","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":8,"ResultStatus":"Succeeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T22:56:04.523Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SharingPolicyChanged","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:03:29.332Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SearchAlertAggregate","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":52,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:14:31.968Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Set-UnifiedGroup","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":1,"ResultStatus":"Succeeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:46:19.451Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Set-User","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"Failed","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T22:13:26.484Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Change user license.","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:55:40.428Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-ComplianceSearch","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T12:20:11.285Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileCheckedOut","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":6,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T11:01:17.130Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ClientViewSignaled","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"smith@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T07:44:03.136Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Remove-UnifiedGroup","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":1,"ResultStatus":"Failed","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T06:21:18.553Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-ComplianceSearchAction","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"Failed","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T23:48:47.393Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"Succeeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T22:59:17.891Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T18:22:14.916Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:43:43.310Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"AddedToGroup","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":14,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T18:22:15.756Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":14,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T14:59:28.030Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Update user.","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":8,"ResultStatus":"Failed","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T12:30:28.183Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SiteCollectionCreated","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":4,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T07:10:31.309Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Set-UnifiedGroup","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":1,"ResultStatus":"Succeeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T23:56:27.701Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"SiteDeleted","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":6,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T06:19:53.509Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ListViewed","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":36,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T18:16:57.276Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SharingPolicyChanged","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:36:44.987Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"SiteCollectionAdminAdded","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":14,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T11:28:41.990Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T22:32:45.191Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Set-Mailbox","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":1,"ResultStatus":"Succeeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T13:39:52.761Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T20:59:05.658Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"ListViewed","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":36,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:24:30.835Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Set-Mailbox","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":1,"ResultStatus":"Failed","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T01:54:42.317Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Change user license.","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T15:24:26.135Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"SearchAlertAggregate","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":52,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T17:11:33.886Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":14,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T08:23:14.674Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Set-UnifiedGroup","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":1,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:18:17.447Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"PageViewed","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T00:31:51.815Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T22:49:08.599Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"PagePrefetched","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T09:19:11.148Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Update user.","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":8,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T08:55:59.441Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Get-ComplianceSearchAction","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T18:56:04.603Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"FileModified","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":6,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SearchDataInsightsSubscription","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":52,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-01T12:36:41.583Z","ResultStatus":"Failed","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T10:17:03.777Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Remove-UnifiedGroup","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"brown@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:35:38.940Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"PageViewed","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T18:10:51.840Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SharingPolicyChanged","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T23:11:17.718Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T18:13:09.055Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Get-SupervisoryReviewReport","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T05:42:30.436Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SiteDeleted","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":6,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"jones@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T07:49:24.766Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Set-Mailbox","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SearchDataInsightsSubscription","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":52,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-02-27T10:16:02.930Z","ResultStatus":"Succeeded","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T08:54:14.420Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"ListViewed","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":36,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:34:21.357Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SharingPolicyChanged","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T17:37:22.373Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T18:18:02.984Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Change user license.","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":8,"ResultStatus":"Failed","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T03:10:37.922Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Set-UnifiedGroup","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"Succeeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T19:43:39.789Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileCheckedOut","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:49:35.982Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"FileAccessed","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T07:44:40.376Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"PageViewed","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T15:28:48.456Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SiteCollectionAdminRemoved","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":14,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T08:23:22.171Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ModifyFolderPermissions","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":2,"ResultStatus":"Succeeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:10:54.492Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileModified","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":6,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T15:22:19.737Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T08:31:09.698Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"ListViewed","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":36,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T17:37:08.676Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Set-UnifiedGroup","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":1,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T21:36:27.795Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"FileAccessedExtended","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":6,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"smith@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:35:16.999Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Set-Mailbox","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":1,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T06:18:24.073Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"FileCheckedOut","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T01:50:56.892Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-ComplianceSearchAction","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T13:07:23.047Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SearchAlertAggregate","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":52,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SearchAlert","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":52,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-02T11:08:42.134Z","ResultStatus":"Failed","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T16:51:20.792Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Update user.","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T12:25:51.801Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Set-Mailbox","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T10:43:33.365Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T19:00:05.052Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Set-User","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T01:40:28.473Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T03:22:00.939Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-ComplianceSearchAction","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:55:45.927Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"ListUpdated","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":36,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T13:58:07.034Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Set-UnifiedGroup","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":1,"ResultStatus":"Succeeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T10:38:17.544Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Set-UnifiedGroup","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":1,"ResultStatus":"Succeeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"frank@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:06:47.375Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Remove-UnifiedGroup","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"frank@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:36:17.005Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"FileCheckedOut","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T09:40:49.210Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileAccessed","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":6,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T01:15:33.663Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"PageViewedExtended","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":4,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T14:59:37.292Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ListViewed","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":36,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T18:09:20.602Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewReport","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T03:09:13.487Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SiteCollectionAdminRemoved","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":14,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchAlert","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":52,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-27T05:10:42.680Z","ResultStatus":"PartiallySucceeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T22:05:01.972Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T06:08:45.421Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileCheckedOut","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T17:39:35.578Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Change user license.","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T17:24:14.779Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Create","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":2,"ResultStatus":"Failed","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T11:14:51.678Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T07:05:48.410Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Set-UnifiedGroup","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T18:22:50.683Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"ListUpdated","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":36,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T18:42:16.776Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"FileCheckedOut","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T12:03:33.791Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ListUpdated","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":36,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T01:37:15.841Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-ComplianceTag","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T22:42:36.564Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Set-User","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":1,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"smith@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T09:57:18.574Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T09:02:43.643Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"ListViewed","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":36,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T12:40:46.135Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"PageViewedExtended","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":4,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"williams@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T15:51:33.478Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-SupervisoryReviewReport","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T07:56:23.579Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"SiteDeleted","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"williams@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T16:56:45.815Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SiteCollectionAdminRemoved","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":14,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:17:52.214Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"Succeeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T10:29:13.685Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Remove-UnifiedGroup","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"108.177.13.101","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"frank@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T07:50:22.632Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"AddedToGroup","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":14,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T07:41:45.390Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Update user.","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":8,"ResultStatus":"Failed","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T00:05:13.005Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T09:52:39.947Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":14,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T21:39:54.407Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:34:57.649Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-ComplianceTag","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T06:58:21.759Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"ModifyFolderPermissions","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":2,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T20:02:44.729Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-SupervisoryReviewReport","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T11:02:30.992Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Create","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":2,"ResultStatus":"Failed","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T22:43:53.434Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"FileAccessed","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":6,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T15:28:15.660Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T17:55:14.786Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SharingPolicyChanged","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":4,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T22:45:31.339Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Add service principal.","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":8,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T11:43:42.794Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"ListViewed","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":36,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T07:13:24.729Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-ComplianceSearch","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"Succeeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T23:35:50.375Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Remove-UnifiedGroup","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"Succeeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T09:38:46.273Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Add service principal.","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T12:56:20.089Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileAccessed","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":6,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T14:38:30.213Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"AddedToGroup","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":14,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"brown@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T11:55:38.335Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"AddedToGroup","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":14,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T17:05:39.970Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:29:56.625Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Create","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","UserId":"williams@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:43:06.214Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"FileAccessed","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":6,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T16:49:50.665Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ListViewed","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":36,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T07:46:55.305Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Create","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"frank@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:24:00.500Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Add service principal.","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":8,"ResultStatus":"Succeeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T07:42:32.598Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Set-User","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":1,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"williams@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T19:10:41.010Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"SiteCollectionAdminRemoved","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":14,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T00:16:25.661Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"FileAccessedExtended","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":6,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T12:08:27.789Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"PagePrefetched","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"frank@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:38:19.566Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T12:14:46.831Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"SiteCollectionCreated","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T09:11:51.645Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"ClientViewSignaled","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"brown@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T05:29:23.617Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Set-User","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"Failed","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T05:09:26.186Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-ComplianceSearchAction","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T23:44:09.857Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T04:16:14.848Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Failed","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T10:00:46.935Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"FileCheckedOut","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":6,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T19:32:53.158Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileCheckedOut","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":6,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T07:58:13.196Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"ClientViewSignaled","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T14:20:06.228Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Remove-UnifiedGroup","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":1,"ResultStatus":"Failed","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"smith@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:01:06.543Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"PagePrefetched","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":4,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T13:48:02.549Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SiteCollectionCreated","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T16:56:37.328Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"ListViewed","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":36,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T02:00:03.077Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Succeeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T09:40:18.965Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T16:15:42.711Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"PagePrefetched","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T19:04:21.473Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Update user.","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":8,"ResultStatus":"Succeeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T11:57:39.974Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"FileCheckedOut","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":6,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:39:50.087Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ModifyFolderPermissions","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":2,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","UserId":"williams@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T11:44:30.421Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T10:34:21.483Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Set-UnifiedGroup","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":1,"ResultStatus":"Failed","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"108.177.13.101","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"frank@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T18:58:52.205Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Change user license.","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SearchDataInsightsSubscription","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":52,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-02-28T22:19:43.488Z","ResultStatus":"Succeeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"SearchDataInsightsSubscription","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":52,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-02-28T13:29:30.248Z","ResultStatus":"Succeeded","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T04:52:16.126Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SiteDeleted","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T23:48:24.296Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SiteCollectionCreated","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T11:17:20.119Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Add service principal.","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":8,"ResultStatus":"Succeeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T14:57:22.853Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"FileCheckedOut","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T10:38:20.276Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"PageViewed","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T00:29:14.936Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"SharingPolicyChanged","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T20:45:56.254Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Add service principal.","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":8,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:54:35.560Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T22:40:24.557Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-SupervisoryReviewReport","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T06:53:43.674Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T09:01:49.841Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"ValidaterbacAccessCheck","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":52,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T08:30:18.376Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceTag","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T07:03:25.705Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":14,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T19:23:54.816Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SiteCollectionAdminRemoved","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":14,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T19:32:09.258Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Remove-UnifiedGroup","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"jones@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T23:24:27.871Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ClientViewSignaled","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":4,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"frank@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T03:55:19.706Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-ComplianceTag","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T07:23:56.409Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T02:38:42.573Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T03:36:59.063Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SearchAlertAggregate","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":52,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:30:22.961Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileAccessedExtended","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":6,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T06:39:49.535Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SiteCollectionCreated","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":4,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SearchDataInsightsSubscription","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":52,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-01T18:52:02.191Z","ResultStatus":"PartiallySucceeded","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T18:46:11.907Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T19:39:59.269Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceTag","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T22:47:37.323Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Set-UnifiedGroup","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"Failed","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T03:53:08.721Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"AddedToGroup","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":14,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T23:23:12.779Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ListViewed","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":36,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T06:40:43.906Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ModifyFolderPermissions","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":2,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","UserId":"jones@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T08:17:27.956Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Set-Mailbox","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":1,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:57:58.576Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SharingPolicyChanged","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.2","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:52:02.941Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Set-Mailbox","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T01:57:15.292Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T13:42:05.547Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SiteDeleted","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T06:27:58.093Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Set-User","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":1,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T06:46:24.455Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SiteDeleted","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T05:47:25.808Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"AddedToGroup","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":14,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"brown@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T23:43:17.512Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ListViewed","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":36,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"brown@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T01:51:34.071Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"ModifyFolderPermissions","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":2,"ResultStatus":"Succeeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SearchDataInsightsSubscription","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-04T12:56:52.012Z","ResultStatus":"Succeeded","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T04:03:21.445Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Remove-UnifiedGroup","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":1,"ResultStatus":"Failed","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T23:59:04.347Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"PageViewed","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":4,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"brown@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T16:04:56.032Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SiteCollectionCreated","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T12:37:25.735Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T23:21:59.829Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SiteCollectionAdminRemoved","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":14,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.2","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T10:42:13.635Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Set-UnifiedGroup","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":1,"ResultStatus":"Failed","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T04:25:48.462Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"UserLoggedIn","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.66","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T17:53:47.043Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"ListViewed","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":36,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:42:13.109Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SiteCollectionAdminRemoved","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":14,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T10:47:52.972Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"PagePrefetched","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T11:45:45.136Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"ValidaterbacAccessCheck","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T01:24:59.564Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Set-UnifiedGroup","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":1,"ResultStatus":"Failed","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T21:49:22.323Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"FileAccessedExtended","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T23:44:06.289Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteCollectionAdminAdded","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":14,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T13:50:22.268Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Remove-UnifiedGroup","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T14:01:01.775Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T03:58:37.019Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ModifyFolderPermissions","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":2,"ResultStatus":"Failed","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"jones@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:26:58.365Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchAlert","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-28T16:53:15.486Z","ResultStatus":"Succeeded","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T19:00:24.347Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SharingPolicyChanged","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T22:47:30.941Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"SiteCollectionAdminAdded","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":14,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T21:23:50.928Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"AddedToGroup","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":14,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"jones@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T06:27:24.535Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Create","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":2,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","UserId":"williams@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T22:40:00.774Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"ModifyFolderPermissions","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T08:47:41.129Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ValidaterbacAccessCheck","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":52,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T10:09:44.518Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Set-User","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T13:43:28.340Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"FileAccessedExtended","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:53:51.423Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"ListUpdated","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":36,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T05:45:20.132Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Change user license.","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":8,"ResultStatus":"Succeeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T14:06:15.350Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"FileModified","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":6,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"frank@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T08:15:11.708Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SiteDeleted","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":6,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"brown@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T03:07:09.951Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T13:55:06.724Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SearchAlertAggregate","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":52,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T14:24:07.552Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"PagePrefetched","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T00:55:24.031Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T03:48:23.352Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"FileAccessedExtended","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":6,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T09:13:17.452Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"ValidaterbacAccessCheck","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":52,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T14:39:38.429Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:42:10.804Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Set-Mailbox","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":1,"ResultStatus":"Succeeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T10:15:32.458Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Set-User","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":1,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T20:34:25.987Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-ComplianceSearchAction","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T22:16:07.270Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"FileModified","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T21:19:31.481Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Remove-UnifiedGroup","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T03:15:49.465Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-ComplianceSearchAction","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T12:15:31.376Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T21:49:45.639Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"ClientViewSignaled","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":4,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"brown@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T17:09:42.597Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Set-Mailbox","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":1,"ResultStatus":"Failed","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T15:47:24.686Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"FileAccessedExtended","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T16:57:52.626Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"SearchAlertAggregate","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T20:22:27.334Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-ComplianceTag","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T16:13:20.921Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"ListUpdated","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":36,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T15:11:01.070Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"FileModified","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T02:33:01.144Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewReport","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T04:56:22.140Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-SupervisoryReviewReport","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T08:48:06.073Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"AddedToGroup","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":14,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T01:25:49.901Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T13:01:42.886Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"ListViewed","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":36,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T19:34:06.323Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"FileAccessed","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":6,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SearchDataInsightsSubscription","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":52,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-02-28T04:10:41.426Z","ResultStatus":"Succeeded","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T06:37:06.349Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"PagePrefetched","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":4,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"brown@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T07:34:54.785Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SearchAlertAggregate","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":52,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T19:50:40.762Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T13:07:21.604Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"ClientViewSignaled","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":4,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T00:07:33.211Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Set-User","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"frank@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T11:53:50.549Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T11:38:09.848Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"Failed","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T18:04:58.014Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SiteCollectionCreated","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T16:44:50.880Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SiteCollectionAdminRemoved","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":14,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T03:43:26.492Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Set-User","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T11:48:53.443Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Set-Mailbox","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":1,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:18:29.420Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SiteCollectionAdminRemoved","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":14,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T04:07:03.152Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteDeleted","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"jones@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T19:37:36.136Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ClientViewSignaled","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T23:42:08.982Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Set-Mailbox","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":1,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T08:05:35.653Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SiteCollectionCreated","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T06:57:35.070Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"PagePrefetched","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"frank@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:35:12.923Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"PageViewedExtended","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T01:41:47.311Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"Failed","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T00:22:55.279Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"FileCheckedOut","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T14:54:09.690Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"PagePrefetched","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"frank@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T04:49:17.287Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"Failed","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T03:00:54.377Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Change user license.","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":8,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T08:09:46.571Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"UserLoggedIn","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.104","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T00:09:54.121Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SiteCollectionAdminAdded","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":14,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T16:46:22.797Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"ModifyFolderPermissions","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":2,"ResultStatus":"Succeeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","UserId":"williams@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T11:29:26.359Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"UserLoggedIn","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":15,"ResultStatus":"Failed","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"77.231.182.17","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T22:20:21.470Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Create","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":2,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T16:02:21.953Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T02:08:47.471Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"PageViewed","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":4,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"smith@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T20:43:59.057Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Change user license.","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":8,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T06:19:00.506Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-ComplianceSearch","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Succeeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T07:01:27.829Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"PagePrefetched","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":4,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:58:42.145Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"FileAccessedExtended","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"jones@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T10:00:09.370Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Change user license.","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T17:21:55.231Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"UserLoggedIn","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":15,"ResultStatus":"Succeeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.2","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T14:07:18.445Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"ValidaterbacAccessCheck","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T14:21:49.851Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"AddedToGroup","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":14,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"smith@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T13:08:30.491Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-ComplianceSearch","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"SearchAlert","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":52,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-02T15:54:03.558Z","ResultStatus":"Failed","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T21:02:02.025Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T07:12:42.808Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:34:08.803Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"Succeeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T13:45:44.299Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"FileModified","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":6,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"brown@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T19:13:21.040Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-ComplianceTag","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Succeeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:04:21.368Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"FileAccessed","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":6,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T14:53:59.984Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"ModifyFolderPermissions","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T17:22:49.470Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SiteCollectionCreated","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T11:19:27.933Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"PageViewed","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T03:54:33.610Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Set-UnifiedGroup","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":1,"ResultStatus":"Succeeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T16:07:11.423Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileAccessed","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T08:37:42.900Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"FileAccessedExtended","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T13:23:46.668Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Change user license.","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T07:09:21.700Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:42:14.749Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T21:49:32.071Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SharingPolicyChanged","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T09:52:50.245Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"UserLoggedIn","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"172.217.204.94","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T12:07:54.711Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"UserLoggedIn","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":15,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.2","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T16:16:33.165Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileAccessedExtended","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"smith@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T19:44:03.094Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"SharingPolicyChanged","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T22:41:20.883Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Set-User","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":1,"ResultStatus":"Succeeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T10:27:18.096Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Change user license.","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":8,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T19:11:00.765Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Succeeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T17:27:23.402Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"ListUpdated","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":36,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T01:38:58.805Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Change user license.","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":8,"ResultStatus":"Failed","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T04:12:15.704Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"UserLoggedIn","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.66","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T06:52:10.565Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":18,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T15:44:22.598Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"FileCheckedOut","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":6,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T07:36:43.040Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"FileAccessedExtended","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"frank@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T00:53:01.335Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"PageViewedExtended","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":4,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T20:04:18.879Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"PagePrefetched","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T00:52:39.796Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SiteCollectionCreated","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchAlert","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-03T17:38:31.587Z","ResultStatus":"Succeeded","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T07:25:51.368Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"Failed","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T00:10:23.785Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SiteCollectionAdminRemoved","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":14,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T11:53:02.079Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Get-SupervisoryReviewReport","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T02:39:59.290Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SiteCollectionCreated","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":4,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T10:57:39.160Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-ComplianceSearch","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T18:01:24.182Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"Failed","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T17:07:00.106Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"UserLoggedIn","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":15,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"77.231.182.17","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T14:36:34.607Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T11:37:37.234Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SiteCollectionAdminAdded","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":14,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.2","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T19:07:40.706Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"Succeeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T16:03:54.728Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Set-UnifiedGroup","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":1,"ResultStatus":"Failed","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"frank@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T00:00:57.993Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-ComplianceSearchAction","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SearchAlert","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":52,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-27T13:31:40.879Z","ResultStatus":"Succeeded","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T13:57:19.489Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"ValidaterbacAccessCheck","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":52,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T22:40:49.670Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SiteDeleted","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T09:22:27.478Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-ComplianceSearch","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T08:19:45.714Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"ModifyFolderPermissions","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":2,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T22:54:05.370Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SiteCollectionAdminAdded","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":14,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T16:48:51.309Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"PagePrefetched","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"brown@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T12:29:58.370Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SiteDeleted","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":6,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T19:27:08.203Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T17:16:42.553Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Succeeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T05:03:38.273Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"PagePrefetched","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"frank@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T02:47:43.274Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Remove-UnifiedGroup","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"108.177.13.101","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T17:09:32.120Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Update user.","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":8,"ResultStatus":"Succeeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T03:53:37.422Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Set-UnifiedGroup","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":1,"ResultStatus":"Succeeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:24:22.816Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SiteCollectionCreated","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T22:43:04.652Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"PageViewed","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":4,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T17:45:19.412Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-SupervisoryReviewReport","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T20:51:27.342Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"ListUpdated","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":36,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T08:28:34.397Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"Failed","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T01:07:33.529Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Change user license.","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":8,"ResultStatus":"Succeeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T05:25:10.612Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"ValidaterbacAccessCheck","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":52,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T08:51:39.612Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Succeeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T13:56:15.235Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Set-UnifiedGroup","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":1,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T10:41:45.168Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"ValidaterbacAccessCheck","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":52,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T13:04:40.411Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"PageViewed","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":4,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T03:08:48.248Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Failed","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T19:34:32.823Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"SearchAlertAggregate","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T01:18:25.113Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"FileCheckedOut","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T19:12:14.837Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceTag","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T21:44:58.679Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Update user.","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":8,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T03:17:18.727Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"SiteDeleted","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"brown@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:04:39.633Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":14,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T22:45:30.771Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Update user.","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":8,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T06:48:38.686Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Add service principal.","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":8,"ResultStatus":"Succeeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SearchDataInsightsSubscription","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":52,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-02T22:19:59.357Z","ResultStatus":"PartiallySucceeded","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T06:28:13.902Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:13:13.676Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Add service principal.","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":8,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T21:36:46.853Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"FileAccessedExtended","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T04:40:31.503Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Add service principal.","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T04:43:27.728Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SiteDeleted","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:45:34.966Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Remove-UnifiedGroup","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"brown@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T06:32:05.239Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Remove-UnifiedGroup","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":1,"ResultStatus":"Succeeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T08:06:58.120Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"PageViewedExtended","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T11:31:43.589Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"AddedToGroup","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":14,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:28:07.051Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Create","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":2,"ResultStatus":"Succeeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","UserId":"williams@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T16:40:24.403Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T11:49:20.606Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SharingPolicyChanged","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":4,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.2","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T00:28:29.872Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"ClientViewSignaled","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":4,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:01:59.334Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:03:17.091Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Set-Mailbox","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T20:36:37.278Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Change user license.","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":8,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:40:32.689Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Get-ComplianceSearchAction","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T08:54:42.501Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"FileAccessedExtended","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T19:18:11.600Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SearchAlertAggregate","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":52,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T09:51:47.480Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-ComplianceSearch","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"Succeeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T10:45:43.012Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SiteCollectionAdminAdded","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":14,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T13:44:15.011Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"FileAccessedExtended","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T11:48:07.289Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SharingPolicyChanged","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T23:21:24.450Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"ClientViewSignaled","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T13:32:59.183Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Set-User","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T18:15:03.665Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Set-Mailbox","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:04:46.826Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"ListUpdated","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":36,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T19:29:39.992Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ClientViewSignaled","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"brown@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T08:10:43.478Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T02:24:10.527Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SearchAlertAggregate","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":52,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T04:23:06.471Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"PageViewedExtended","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T23:25:07.165Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteDeleted","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T05:00:13.894Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"FileCheckedOut","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":6,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T03:10:30.480Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T14:47:13.338Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"FileAccessedExtended","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"williams@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T22:39:15.198Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SiteDeleted","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchDataInsightsSubscription","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":52,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-01T11:07:20.522Z","ResultStatus":"Succeeded","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T21:35:01.786Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SearchAlertAggregate","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":52,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T07:56:37.176Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"FileAccessedExtended","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":6,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T21:00:07.544Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-ComplianceSearchAction","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T01:51:18.725Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"FileAccessed","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":6,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T17:11:32.976Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"ListUpdated","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":36,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T05:49:04.515Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"Succeeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T07:05:38.070Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Remove-UnifiedGroup","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"williams@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T03:10:47.027Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Remove-UnifiedGroup","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T14:20:51.522Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Remove-UnifiedGroup","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":1,"ResultStatus":"Failed","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T19:48:12.911Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-SupervisoryReviewReport","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"Succeeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T21:47:30.794Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SiteCollectionAdminAdded","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":14,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T15:52:36.708Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T11:35:48.140Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Change user license.","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":8,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T20:37:26.459Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-SupervisoryReviewReport","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SearchAlert","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-01T02:54:01.709Z","ResultStatus":"Failed","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T21:00:39.690Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T21:14:00.810Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T06:49:23.699Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"UserLoggedIn","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.66","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T23:23:34.933Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-ComplianceSearch","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T10:58:44.207Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"FileCheckedOut","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":6,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T19:38:44.008Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"FileAccessed","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T22:09:50.779Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T12:27:03.088Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"FileAccessedExtended","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":6,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SearchDataInsightsSubscription","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":52,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-05T05:35:34.854Z","ResultStatus":"Failed","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SearchDataInsightsSubscription","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":52,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-04T17:02:12.076Z","ResultStatus":"Succeeded","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T00:30:39.720Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewReport","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"Failed","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T05:09:12.332Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"FileModified","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"williams@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T03:31:13.621Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"FileCheckedOut","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":6,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T05:59:48.253Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SearchAlertAggregate","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":52,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T10:56:44.537Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SiteDeleted","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":6,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"brown@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T05:37:02.399Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Add service principal.","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":8,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:07:23.995Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"AddedToGroup","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":14,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T12:43:41.655Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Create","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":2,"ResultStatus":"Failed","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:07:08.064Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"ValidaterbacAccessCheck","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":52,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T01:00:50.888Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T03:41:53.135Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T00:20:34.534Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"PageViewed","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":4,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T10:06:28.775Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Add service principal.","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":8,"ResultStatus":"Failed","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T21:01:06.815Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"ValidaterbacAccessCheck","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T00:56:43.687Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Change user license.","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":8,"ResultStatus":"Failed","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T23:10:53.096Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SharingPolicyChanged","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":4,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:01:14.546Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T20:45:24.778Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T03:08:27.546Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Set-User","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T23:53:40.644Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T21:14:51.772Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SiteCollectionAdminRemoved","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":14,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T03:37:43.757Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Failed","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T11:29:28.441Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"ModifyFolderPermissions","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T09:50:07.587Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T19:45:47.968Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"PageViewed","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"jones@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T06:10:12.029Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"FileCheckedOut","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":6,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T08:20:16.504Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"FileAccessed","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":6,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T09:29:15.458Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"FileCheckedOut","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T08:29:40.901Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Change user license.","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":8,"ResultStatus":"Failed","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T04:25:29.271Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ListUpdated","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":36,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T19:43:48.161Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Remove-UnifiedGroup","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":1,"ResultStatus":"Failed","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T19:35:04.993Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"ClientViewSignaled","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"frank@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SearchAlert","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":52,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-01T18:29:11.870Z","ResultStatus":"Failed","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T08:38:33.022Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"ListUpdated","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":36,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T23:36:35.220Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileAccessedExtended","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T03:18:48.522Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"PageViewed","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"brown@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T07:34:55.088Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"AddedToGroup","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":14,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T00:54:14.946Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Set-Mailbox","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":1,"ResultStatus":"Failed","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T06:01:28.876Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-ComplianceTag","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Succeeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T23:48:35.844Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Update user.","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T20:37:19.722Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Failed","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:18:26.810Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"UserLoggedIn","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":15,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"108.177.13.101","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T06:03:43.311Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"AddedToGroup","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":14,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T01:47:52.500Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"UserLoggedIn","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.66","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T20:17:40.717Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Set-Mailbox","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T03:03:46.061Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SiteCollectionCreated","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T20:01:30.516Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"PageViewedExtended","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"brown@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:24:56.467Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"PageViewedExtended","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T08:04:17.186Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"PageViewed","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":4,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"brown@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:09:15.592Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T00:54:11.909Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SearchAlertAggregate","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":52,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T00:59:25.514Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Set-UnifiedGroup","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T02:55:46.449Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SiteCollectionCreated","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T18:23:37.175Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Set-User","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T14:44:33.422Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Remove-UnifiedGroup","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":1,"ResultStatus":"Succeeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"108.177.13.101","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"smith@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:21:23.916Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Update user.","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T08:46:17.328Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"ListUpdated","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":36,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T03:27:27.257Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ListViewed","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":36,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T03:08:00.390Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T13:57:00.070Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-ComplianceTag","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SearchAlert","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":52,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-03T09:04:03.390Z","ResultStatus":"Succeeded","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T05:04:22.079Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"FileModified","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":6,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T05:19:01.701Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"FileCheckedOut","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T06:37:46.571Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T18:59:56.268Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Get-ComplianceSearchAction","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T18:16:57.868Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"ModifyFolderPermissions","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":2,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T01:09:05.793Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"AddedToGroup","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":14,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"brown@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T00:42:59.904Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-SupervisoryReviewReport","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T21:52:30.947Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"FileAccessed","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":6,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T03:39:35.489Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-ComplianceSearchAction","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T23:32:46.931Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Set-Mailbox","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":1,"ResultStatus":"Succeeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T20:46:02.850Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Change user license.","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":8,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T05:59:55.896Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SharingPolicyChanged","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T02:59:22.834Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"PagePrefetched","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T05:08:27.278Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"SearchAlert","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":52,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-01T05:59:42.269Z","ResultStatus":"Failed","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T10:42:06.064Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"ClientViewSignaled","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":4,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"jones@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T09:12:08.101Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Add service principal.","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":8,"ResultStatus":"Failed","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T13:54:17.147Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SearchAlertAggregate","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":52,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T21:53:21.482Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"PageViewedExtended","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T23:04:18.029Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SiteCollectionCreated","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.2","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:15:29.905Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Set-User","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":1,"ResultStatus":"Succeeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"frank@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T04:27:30.119Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Change user license.","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":8,"ResultStatus":"Succeeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:08:42.734Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Set-Mailbox","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":1,"ResultStatus":"Succeeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T09:03:26.119Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"FileCheckedOut","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T12:09:25.047Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"Failed","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T08:05:30.149Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"AddedToGroup","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":14,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T15:51:27.359Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"PagePrefetched","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"jones@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T17:45:11.282Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SiteDeleted","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":6,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"frank@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T01:17:45.609Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"ModifyFolderPermissions","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","UserId":"williams@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T10:58:29.328Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SharingPolicyChanged","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T00:46:54.081Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"PageViewed","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":4,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"SearchAlert","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":52,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-27T20:02:56.997Z","ResultStatus":"PartiallySucceeded","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T23:10:27.925Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"ListUpdated","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":36,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T17:40:47.566Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Update user.","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":8,"ResultStatus":"Succeeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:07:50.789Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T11:47:17.118Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"ClientViewSignaled","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":4,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"jones@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SearchAlert","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":52,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-03T03:23:40.427Z","ResultStatus":"Succeeded","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:17:55.237Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteCollectionCreated","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T10:00:28.159Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SearchAlertAggregate","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":52,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T15:16:50.634Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Get-ComplianceTag","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T21:11:51.238Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"FileAccessed","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T15:39:40.593Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T10:42:25.009Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SiteCollectionAdminAdded","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":14,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T05:00:18.946Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-SupervisoryReviewReport","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T01:40:43.826Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SearchAlertAggregate","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":52,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T11:50:27.415Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ModifyFolderPermissions","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","UserId":"brown@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T19:31:08.795Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SharingPolicyChanged","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":4,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T21:12:06.993Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Get-SupervisoryReviewReport","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":18,"ResultStatus":"Succeeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchAlert","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":52,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-27T12:46:15.138Z","ResultStatus":"Failed","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T10:09:49.165Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"Failed","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T07:16:28.244Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T06:35:32.447Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Set-Mailbox","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T17:59:15.792Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteDeleted","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T07:13:39.458Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SiteCollectionCreated","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T07:13:04.886Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-SupervisoryReviewReport","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T17:42:00.445Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-ComplianceSearchAction","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T01:09:31.401Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"ClientViewSignaled","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T00:48:52.992Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SiteDeleted","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":6,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"brown@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T16:37:04.861Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SharingPolicyChanged","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T03:56:30.193Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T03:51:30.510Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"FileAccessedExtended","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T00:41:27.087Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SiteCollectionCreated","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T18:49:52.562Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"FileCheckedOut","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":6,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T07:18:41.359Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"FileAccessedExtended","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":6,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T12:15:39.073Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"ListUpdated","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":36,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T18:42:45.980Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:47:39.743Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Set-User","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T07:20:23.282Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SiteCollectionCreated","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":4,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T05:05:59.607Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SiteCollectionAdminAdded","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":14,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SearchDataInsightsSubscription","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":52,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-02T06:28:59.913Z","ResultStatus":"PartiallySucceeded","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T22:45:07.394Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Change user license.","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":8,"ResultStatus":"Failed","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T10:06:02.618Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Update user.","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T01:38:36.196Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-ComplianceSearchAction","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T13:13:22.591Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"FileAccessed","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":6,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T09:38:18.612Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T02:56:15.859Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"ValidaterbacAccessCheck","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":52,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:12:26.478Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"AddedToGroup","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":14,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"frank@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T23:12:26.096Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Get-ComplianceSearchAction","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SearchDataInsightsSubscription","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":52,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-03T12:25:45.709Z","ResultStatus":"Failed","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T16:23:42.382Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Set-Mailbox","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":1,"ResultStatus":"Failed","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T17:01:33.286Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SiteDeleted","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":6,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T05:17:45.482Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"FileAccessedExtended","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":6,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T04:38:46.274Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-ComplianceSearchAction","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T07:43:20.491Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"ClientViewSignaled","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"brown@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T03:19:04.629Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ListUpdated","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":36,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:27:29.018Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-ComplianceTag","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"Failed","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T09:41:55.580Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"FileModified","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"jones@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T21:41:26.455Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Remove-UnifiedGroup","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":1,"ResultStatus":"Succeeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:54:26.009Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"FileAccessed","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":6,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T01:44:21.036Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T21:19:13.219Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Update user.","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":8,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:05:31.152Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T06:14:48.932Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Set-Mailbox","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T18:34:25.316Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T18:35:54.552Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SiteCollectionAdminAdded","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":14,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T05:58:25.371Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ValidaterbacAccessCheck","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":52,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:32:37.125Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-ComplianceSearch","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SearchDataInsightsSubscription","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":52,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-05T08:57:47.046Z","ResultStatus":"Failed","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T17:52:51.450Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ListUpdated","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":36,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"williams@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:18:07.035Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SearchAlertAggregate","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":52,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T23:12:44.064Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Set-UnifiedGroup","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"frank@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T15:49:34.737Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Set-User","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":1,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T07:12:36.027Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"Failed","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T16:17:38.004Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"FileCheckedOut","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":6,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T12:50:34.624Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SiteCollectionAdminAdded","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":14,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T07:22:44.656Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SharingPolicyChanged","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":4,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T15:49:06.831Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SharingPolicyChanged","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T06:42:24.117Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SearchAlertAggregate","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":52,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T15:03:51.176Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T09:44:59.178Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ModifyFolderPermissions","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"jones@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T21:21:08.305Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"AddedToGroup","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":14,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:51:50.221Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ListUpdated","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":36,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T14:25:26.287Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Create","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":2,"ResultStatus":"Succeeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SearchAlert","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-02T17:07:00.188Z","ResultStatus":"Failed","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T13:20:09.006Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"SiteDeleted","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"brown@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T09:32:50.701Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"ListViewed","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":36,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T17:24:30.365Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-SupervisoryReviewReport","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Succeeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T07:37:21.726Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SiteCollectionCreated","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T03:36:28.218Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"ClientViewSignaled","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"frank@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T22:45:43.030Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SiteCollectionAdminAdded","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":14,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T06:37:25.745Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T11:44:53.170Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"Succeeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T10:48:22.336Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"ModifyFolderPermissions","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":2,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","UserId":"frank@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:11:45.540Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"PageViewedExtended","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":4,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"williams@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T13:14:09.379Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Set-User","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"SearchDataInsightsSubscription","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":52,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-04T07:17:08.117Z","ResultStatus":"Failed","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:50:29.839Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Set-User","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":1,"ResultStatus":"Succeeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T08:55:30.491Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T21:31:06.988Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Set-User","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T13:47:07.290Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Change user license.","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:03:04.852Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"FileCheckedOut","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T01:08:57.139Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T11:27:36.646Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SiteCollectionAdminAdded","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":14,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"172.217.204.94","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T15:10:26.504Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Remove-UnifiedGroup","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":1,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"williams@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T03:32:30.042Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SearchDataInsightsSubscription","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":52,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-01T07:41:49.185Z","ResultStatus":"Failed","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T19:27:12.272Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"PagePrefetched","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":4,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"williams@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T22:03:26.228Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"AddedToGroup","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":14,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T05:22:04.747Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-SupervisoryReviewReport","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T06:50:49.155Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-ComplianceSearchAction","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T11:47:29.006Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"ValidaterbacAccessCheck","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":52,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T20:36:02.326Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"FileCheckedOut","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T13:46:15.011Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"Failed","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T05:44:04.887Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SiteCollectionCreated","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":4,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T16:43:32.876Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"FileAccessedExtended","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T01:10:20.134Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"FileAccessedExtended","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchDataInsightsSubscription","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":52,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-03T15:30:27.850Z","ResultStatus":"PartiallySucceeded","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T11:59:39.824Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Set-UnifiedGroup","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T13:56:44.846Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"ModifyFolderPermissions","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":2,"ResultStatus":"Succeeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","UserId":"williams@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T05:47:04.240Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"PageViewed","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T11:40:27.672Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"FileAccessedExtended","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T01:07:29.166Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SiteDeleted","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"frank@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T15:54:16.823Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SiteCollectionAdminAdded","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":14,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T11:39:48.054Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteCollectionAdminAdded","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":14,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T03:00:28.953Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-SupervisoryReviewReport","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T06:42:39.609Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Succeeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T16:06:22.703Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Succeeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T10:18:17.505Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T10:40:38.794Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"ListViewed","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":36,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"brown@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T04:12:07.631Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"UserLoggedIn","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"13.226.52.66","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T20:08:57.769Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SearchAlert","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-02T11:39:38.420Z","ResultStatus":"PartiallySucceeded","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:02:55.229Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Get-SupervisoryReviewReport","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T04:19:28.513Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SiteCollectionAdminAdded","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":14,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.2","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:13:14.644Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T01:22:15.415Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"FileAccessedExtended","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":6,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"SearchAlert","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":52,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-02T21:32:07.787Z","ResultStatus":"Succeeded","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T00:16:20.389Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SearchAlertAggregate","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":52,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T14:18:15.943Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-ComplianceSearchAction","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"Succeeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T17:22:49.313Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"FileCheckedOut","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T03:46:16.781Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:02:32.911Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-ComplianceSearchAction","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:11:37.266Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-SupervisoryReviewReport","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T02:42:30.789Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T16:30:01.801Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"PagePrefetched","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"jones@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T21:17:22.809Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Set-UnifiedGroup","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":1,"ResultStatus":"Succeeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T06:43:41.787Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"SearchAlertAggregate","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":52,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T01:53:36.357Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Change user license.","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T22:27:50.864Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Set-Mailbox","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T06:20:30.903Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Change user license.","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T22:43:56.826Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-SupervisoryReviewReport","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"Failed","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T10:41:04.627Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-ComplianceSearchAction","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T08:30:15.143Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Set-User","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":1,"ResultStatus":"Succeeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"williams@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T12:20:10.263Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Create","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":2,"ResultStatus":"Succeeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"140.82.113.3","UserId":"williams@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T11:18:12.484Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"ValidaterbacAccessCheck","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":52,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:24:39.755Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"SharingPolicyChanged","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":4,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T11:42:29.108Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"FileAccessedExtended","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":6,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"williams@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:26:52.844Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Set-UnifiedGroup","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":1,"ResultStatus":"Succeeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T21:28:10.798Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-SupervisoryReviewReport","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T18:41:58.400Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Get-SupervisoryReviewReport","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T23:06:57.285Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Add service principal.","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":8,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T09:27:35.969Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T23:55:32.146Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"AddedToGroup","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":14,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"williams@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T10:36:19.214Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Add service principal.","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":8,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T15:29:24.960Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"ModifyFolderPermissions","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"SearchAlert","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":52,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-26T12:05:02.211Z","ResultStatus":"PartiallySucceeded","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T17:23:03.364Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T21:37:11.592Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"FileAccessed","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T15:42:47.462Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"SiteCollectionCreated","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":4,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T10:21:33.119Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"ValidaterbacAccessCheck","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":52,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T06:45:04.870Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ValidaterbacAccessCheck","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":52,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T02:40:30.341Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-ComplianceSearchAction","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T14:21:14.466Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"UserLoggedIn","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":15,"ResultStatus":"Succeeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"77.231.182.17","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T09:10:02.022Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileAccessedExtended","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":6,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T00:10:35.555Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"PagePrefetched","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T04:58:29.930Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Set-User","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":1,"ResultStatus":"Failed","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"jones@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T20:10:47.992Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Set-User","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"Exchange","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T00:33:23.116Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"SiteDeleted","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":6,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T14:01:56.923Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SearchAlertAggregate","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":52,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T02:29:30.722Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileCheckedOut","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T14:28:25.513Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"UserLoggedIn","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":15,"ResultStatus":"Succeeded","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"77.231.182.17","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T16:03:08.651Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SearchAlertAggregate","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":52,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T16:48:51.565Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-ComplianceTag","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"Succeeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T07:08:38.891Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"PageViewedExtended","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T12:17:32.352Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Remove-UnifiedGroup","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":1,"ResultStatus":"Failed","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"108.177.13.101","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T18:48:54.485Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Change user license.","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":8,"ResultStatus":"Failed","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T14:37:57.656Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Set-User","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":1,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"Exchange","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"smith@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T20:22:53.662Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-ComplianceSearch","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T08:47:56.176Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Add service principal.","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":8,"ResultStatus":"Succeeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T09:45:50.760Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SiteCollectionCreated","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":4,"UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.2","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T14:03:39.788Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"FileModified","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":6,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"williams@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T12:13:51.736Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:35:14.915Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SiteCollectionAdminRemoved","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":14,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T23:28:27.433Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Get-ComplianceSearch","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"Failed","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T20:02:31.076Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Succeeded","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T11:19:19.221Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SiteCollectionAdminAdded","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":14,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"77.231.182.17","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T19:14:06.851Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileCheckedOut","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"jones@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T21:55:00.036Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"Set-Mailbox","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":1,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"AM9PR04MB8986 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXGJkYmI4MjM2LTBmNDgtNGZjNi05Zjc3LTkxNGNkY2MwMmIzYw2"},{"Name":"ResourceEmailAddresses","Value":"True"},{"Name":"BypassLiveId","Value":"True"},{"Name":"Force","Value":"True"},{"Name":"DomainController","Value":"HE1PR04A010DC03.EURPR04A010.prod.outlook.com"},{"Name":"EmailAddresses","Value":"SIP:fake@email.not;SMTP:fake@email.not;SPO:SPO_f49feae4-033d-4028-97d1-3acd55341f69@SPO_0fea4e03-8146-453b-b889-54b4bd11565b"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T02:29:53.430Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileAccessed","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":6,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T12:34:41.256Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"PageViewed","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":4,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","CorrelationId":"ccd0c99f-309b-2000-df13-3fcca9a8c8e1","CustomUniqueId":true,"EventSource":"SharePoint","ItemType":"Page","ListItemUniqueId":"59a8433d-9bb8-cfef-65b7-ef35de00c8f6","Site":"f7fbb805-5f6b-4950-b681-2365eb46081f","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"3b56db49-60e3-410e-acbd-d8765467388a","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T03:44:15.370Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchAlertAggregate","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":52,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"frank@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T20:26:05.856Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceSearch","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T17:36:24.389Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileCheckedOut","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"jones@wazuh.com","CorrelationId":"48d1c99f-f03c-2000-df13-38983a6608f8","EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","HighPriorityMediaProcessing":false,"SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T08:21:51.860Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Add service principal.","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":8,"ResultStatus":"Failed","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T17:03:28.581Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"AddedToGroup","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":14,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"frank@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SearchAlert","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":52,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-28T22:38:49.922Z","ResultStatus":"PartiallySucceeded","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T16:54:07.954Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceSearch","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T00:13:45.263Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Update user.","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T12:55:32.081Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-ComplianceTag","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T19:19:19.691Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Create","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":2,"ResultStatus":"Succeeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.89","UserId":"frank@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Attachments":"warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)","Id":"RgAAAAA6tVhba3JWSaGmky7/7OvfBwDRwKc47c1sT4Waab6O4zbPAAAAAAEMAADRwKc47c1sT4Waab6O4zbPAAAAAAk9AAAJ","InternetMessageId":"","IsRecord":false,"ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"The new TestSharePoint group is ready"},"Subscription":"Audit.Exchange","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T01:36:22.077Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SearchAlertAggregate","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":52,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SearchAlert","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":52,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-26T13:32:36.020Z","ResultStatus":"PartiallySucceeded","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T01:29:11.049Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SearchAlertAggregate","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":52,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T09:44:14.805Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"PageViewedExtended","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"jones@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T02:14:35.020Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"FileAccessed","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":6,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T12:10:55.883Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-ComplianceSearch","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T04:29:26.757Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"FileAccessed","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":6,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T09:07:25.959Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ListViewed","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":36,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T10:26:05.066Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"FileAccessed","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":6,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T15:42:35.362Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"FileAccessedExtended","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":6,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T05:04:13.454Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Add service principal.","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":8,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T18:51:59.280Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"Get-ComplianceTag","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T13:19:31.730Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"FileAccessed","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":6,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"smith@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T22:47:03.728Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SiteCollectionAdminAdded","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":14,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T14:21:41.194Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T03:33:20.992Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"ModifyFolderPermissions","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":2,"ResultStatus":"Succeeded","UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T23:43:14.339Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"FileModified","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":6,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T07:18:22.953Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"PageViewedExtended","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":4,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"jones@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T11:29:54.837Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"ClientViewSignaled","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":4,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"jones@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T04:31:45.335Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T14:12:01.908Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceSearch","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T03:20:13.764Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Get-ComplianceSearchAction","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":18,"ResultStatus":"Failed","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T11:57:15.628Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"ModifyFolderPermissions","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":2,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"172.217.204.94","UserId":"frank@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T09:25:06.287Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":14,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T10:29:57.083Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Set-User","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":1,"ResultStatus":"Failed","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T08:07:44.243Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"AddedToGroup","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":14,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"172.217.204.94","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"williams@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T11:02:09.101Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"ListViewed","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":36,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T00:58:25.446Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":18,"ResultStatus":"Failed","UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T19:39:34.035Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"PageViewedExtended","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":4,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.2","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"brown@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T18:46:28.741Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Change user license.","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T01:09:00.502Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"SiteCollectionAdminRemoved","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":14,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T19:57:52.701Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"FileAccessedExtended","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T19:22:32.472Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"SearchAlertAggregate","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":52,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T06:43:34.606Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"SiteCollectionAdminRemoved","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":14,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.66","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T02:25:09.878Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SharingPolicyChanged","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":4,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T17:29:07.668Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Update user.","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":8,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T05:53:32.219Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Change user license.","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":8,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T22:08:07.805Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-ComplianceSearch","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":18,"ResultStatus":"Failed","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T06:36:37.985Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Add service principal.","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":8,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T08:02:00.528Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"ListViewed","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":36,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"SearchAlert","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":52,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-04T01:18:13.875Z","ResultStatus":"Failed","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T23:59:21.139Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"SiteCollectionAdminAdded","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":14,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"williams@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T05:15:20.344Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Change user license.","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":8,"ResultStatus":"Failed","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T04:01:18.561Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SearchAlert","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":52,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-03T22:40:51.261Z","ResultStatus":"Failed","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T15:04:03.802Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"Get-RetentionCompliancePolicy","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T14:12:53","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SearchAlert","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":52,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-01T15:33:43.251Z","ResultStatus":"Failed","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T21:39:30.054Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Add service principal.","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":8,"ResultStatus":"Failed","UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T12:20:19.075Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Remove-UnifiedGroup","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"brown@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T21:53:35.709Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"ListViewed","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":36,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T10:41:48.891Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"FileAccessedExtended","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":6,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T17:49:35.360Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Update user.","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T14:34:42.574Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Add service principal.","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":8,"ResultStatus":"PartiallySucceeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"frank@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T11:34:23.604Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"SiteCollectionAdminRemoved","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":14,"UserKey":"ce013f05-a783-4186-9d85-5a14998b6111","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T15:30:26.272Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"ClientViewSignaled","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":4,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"brown@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T16:26:09.395Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewReport","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T11:34:22.882Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Set-UnifiedGroup","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"williams@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T08:12:40.628Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T17:32:07.326Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"49fd4642-cfe5-4170-9488-25d847e3579f","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T18:15:16.609Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Add service principal.","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":8,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T04:19:31.498Z","Id":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","Operation":"Get-ComplianceSearch","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T09:33:20.246Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"ClientViewSignaled","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"smith@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SearchAlert","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":52,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-02-27T18:44:35.010Z","ResultStatus":"Succeeded","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T04:57:17.807Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":18,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T21:48:57.597Z","Id":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","Operation":"UserLoggedIn","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":15,"ResultStatus":"PartiallySucceeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"77.231.182.17","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T23:31:06.988Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-SupervisoryReviewReport","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T03:48:01.978Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"SiteCollectionCreated","OrganizationId":"d36253fb-24a1-481c-a199-f778534ccb5f","RecordType":4,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"140.82.113.3","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","EventData":"APITrueFalse","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SearchDataInsightsSubscription","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":52,"UserKey":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"80ccca67-54bd-44ab-8625-4b79c4dc7775","DataType":"DataInsightsSubscription","DatabaseType":"Directory","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"1","Subscription":"Audit.General","CreationTime":"2023-03-02T12:43:29.948Z","ResultStatus":"PartiallySucceeded","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T00:27:20.241Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-SupervisoryReviewReport","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":18,"ResultStatus":"Succeeded","UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-StartDate \"\" -EndDate \"\" -PageSize \"\" -Page \"\"","Parameters":"-StartDate \"5/12/2021 12:00:00 AM\" -EndDate \"5/18/2021 11:59:59 PM\" -PageSize \"300\" -Page \"1\"","StartTime":"2021-05-18T15:52:31","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T19:57:09.933Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"SearchAlertAggregate","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":52,"UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"smith@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Succeeded","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T09:36:13.334Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"SharingPolicyChanged","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":4,"UserKey":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T04:48:01.858Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"ListViewed","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":36,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T14:05:08.448Z","Id":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","Operation":"Get-ComplianceSearch","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T12:21:47.828Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"ModifyFolderPermissions","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":2,"ResultStatus":"Succeeded","UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","UserId":"jones@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T09:49:21.554Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"Get-SupervisoryReviewTopCasesReport","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"Failed","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectoryStsLogon","hipaa_164.312.a.2.I,hipaa_164.312.b","hipaa_164.312.d","hipaa_164.312.e.2.II","pci_dss_8.3,pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T20:08:45.360Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"UserLoggedIn","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":15,"ResultStatus":"Succeeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"77.231.182.17","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":0},{"ID":"fake@email.not","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"190.16.9.176","InterSystemsId":"a3798792-fef1-4b53-bd44-bbbd94cf0e5c","IntraSystemId":"7aeca226-b3e7-4033-9a7f-d067622e8d00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"714c4935-a22d-400d-8563-fbbd8bfc2301"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T17:43:20.933Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Set-UnifiedGroup","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":1,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"smith@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T07:04:12.695Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"SiteDeleted","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":6,"UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"brown@wazuh.com","CorrelationId":"bed1c99f-20ee-2000-df13-306cb6803c92","EventSource":"SharePoint","ItemType":"Web","ListItemUniqueId":"00000000-0000-0000-0000-000000000000","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","DestinationFileExtension":"","SourceFileExtension":"","DestinationFileName":"TestSharePoint","DestinationRelativeUrl":"../../https://wazuh.sharepoint.com/sites","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"TestSharePoint","SourceRelativeUrl":"..","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T07:00:44.097Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"Change user license.","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":8,"ResultStatus":"Succeeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T17:46:00.604Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"FileAccessed","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":6,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"williams@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T18:50:06.486Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-ComplianceSearchAction","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"Failed","UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T17:39:26.176Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"SearchAlertAggregate","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":52,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"williams@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"AlertAggregate","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/AlertAggregate?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=540&Filter=StartDate+eq+2021-04-18T17%3a59%3a48.3504050Z+and+EndDate+eq+2021-05-18T17%3a59%3a48.3504050Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"PartiallySucceeded","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T14:15:35.861Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"ListUpdated","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":36,"UserKey":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T22:58:42.804Z","Id":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","Operation":"Get-ComplianceTag","OrganizationId":"b5359092-dad2-4060-b93d-3791e4da0dec","RecordType":18,"ResultStatus":"Succeeded","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-IncludingLabelState \"\"","Parameters":"-IncludingLabelState \"True\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.2"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T09:05:09.859Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Add service principal.","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":8,"ResultStatus":"Succeeded","UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"SearchAlert","OrganizationId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","RecordType":52,"UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"brown@wazuh.com","AadAppId":"fc780465-2017-40d4-a0c5-307022471b92","DataType":"Alert","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/Alert?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b&PageSize=100&Filter=StartDate+eq+2021-04-18T17%3a59%3a40.8820655Z+and+EndDate+eq+2021-05-18T17%3a59%3a40.8820655Z+and+AlertCategory+any+1%2c3%2c7%2c5%2c4+and+AlertSource+eq+%27Office+365+Security+%26+Compliance%27","ResultCount":"0","Subscription":"Audit.General","CreationTime":"2023-03-05T07:30:06.201Z","ResultStatus":"PartiallySucceeded","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T02:14:46.984Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"FileModified","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":6,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.89","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"smith@wazuh.com","CorrelationId":"62d1c99f-d09c-2000-df13-37ddf480e717","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"File","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"Home.aspx","SourceRelativeUrl":"SitePages","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T12:49:55.171Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"FileAccessed","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":6,"UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"frank@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-05T06:09:34.646Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteCollectionAdminAdded","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":14,"UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"jones@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T03:32:18.266Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"Get-DlpSensitiveInformationType","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Succeeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","Parameters":"-Organization \"0fea4e03-8146-453b-b889-54b4bd11565b\"","StartTime":"2021-05-18T17:59:45","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T22:12:47.244Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Remove-UnifiedGroup","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":1,"ResultStatus":"PartiallySucceeded","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"77.231.182.17","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T06:49:56.174Z","Id":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","Operation":"SharingPolicyChanged","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":4,"UserKey":"49fd4642-cfe5-4170-9488-25d847e3579f","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.89","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T03:34:22.984Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"FileAccessedExtended","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":6,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"smith@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T23:04:36.198Z","Id":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","Operation":"SiteCollectionAdminAdded","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":14,"UserKey":"e8493b26-c1f9-42eb-9756-dfd363149852","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"13.226.52.104","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Web","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"a9d15b23-6ac9-43c5-af3c-b4a0916631c1","ModifiedProperties":[{"Name":"SiteAdmin","NewValue":"fake@email.not","OldValue":""}],"TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh-my.sharepoint.com/personal/tomas_turina_wazuh_com","TargetUserOrGroupName":"fake@email.not","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T14:05:43.904Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"49fd4642-cfe5-4170-9488-25d847e3579f","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b5359092-dad2-4060-b93d-3791e4da0dec","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.89"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T11:25:30.093Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"SharingPolicyChanged","OrganizationId":"6d872bf8-e462-4de8-9e16-c36761050fb7","RecordType":4,"UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":2,"Version":1,"Workload":"OneDrive","ClientIP":"108.177.13.101","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserId":"frank@wazuh.com","CorrelationId":"fd9ac79d-1100-48aa-92c5-40a73a1d443f","EventSource":"SharePoint","ItemType":"Site","Site":"f49feae4-033d-4028-97d1-3acd55341f69","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","ModifiedProperties":[{"Name":"ShareUsingAnonymousLinks","NewValue":"Enabled","OldValue":"Disabled"}],"Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint file operation events.","id":"91537","mail":false,"firedtimes":3,"groups":["office365","SharePointFileOperation","hipaa_164.312.b","hipaa_164.312.c.1","pci_dss_10.6.2","pci_dss_11.5"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T16:06:30.803Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"FileAccessedExtended","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":6,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"smith@wazuh.com","CorrelationId":"94d1c99f-20eb-2000-df13-35746d02911e","EventSource":"SharePoint","ItemType":"File","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","ListItemUniqueId":"3c9d8943-846e-41f3-a647-72a5e4e3decf","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","SourceFileExtension":"aspx","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint/","SourceFileName":"AllItems.aspx","SourceRelativeUrl":"Shared Documents/Forms","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"England","location":{"lat":51.5085297,"lon":-0.12574},"region_name":"London","city_name":"London"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T07:38:30.619Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Set-User","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":1,"ResultStatus":"Succeeded","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"Exchange","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"smith@wazuh.com","AppId":"","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"DB8PR04MB7065 (15.20.4150.023)","Parameters":[{"Name":"Identity","Value":"0fea4e03-8146-453b-b889-54b4bd11565b\\bdbb8236-0f48-4fc6-9f77-914cdcc02b3c"},{"Name":"SyncMailboxLocationGuids","Value":"True"},{"Name":"ErrorAction","Value":"Stop"},{"Name":"WarningAction","Value":"SilentlyContinue"}],"Subscription":"Audit.Exchange","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.","id":"91534","mail":false,"firedtimes":3,"groups":["office365","ExchangeItem","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T08:06:27.349Z","Id":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","Operation":"ModifyFolderPermissions","OrganizationId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","RecordType":2,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.104","UserId":"smith@wazuh.com","ClientIPAddress":"::1","ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","ExternalAccess":true,"InternalLogonType":1,"LogonType":1,"LogonUserSid":"S-1-5-18","MailboxGuid":"fc108b45-9d51-4b87-a473-9d5a0e404966","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-2986565805-1835265550-1383574073-20743067","MailboxOwnerUPN":"TestSharePoint@wazuh.com","OrganizationName":"wazuh.testytest.com","OriginatingServer":"AS8PR04MB8465 (15.20.4150.023)\r\n","Item":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","ParentFolder":{"Id":"LgAAAAA6tVhba3JWSaGmky7/7OvfAQDRwKc47c1sT4Waab6O4zbPAAAAAAENAAAC","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-4228942661-1267178833-1520268196-1716076558-1","MemberUpn":"Member@local","Name":"Calendar","Path":"\\Calendar"}},"Subscription":"Audit.Exchange","ObjectId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T02:19:10.357Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"AddedToGroup","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":14,"UserKey":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"77.231.182.17","ObjectId":"4f686e03-7cf6-44a8-9212-b8a91b128082","UserId":"williams@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T23:45:39.429Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T18:53:32.179Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"PagePrefetched","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":4,"UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.104","ObjectId":"a8080009-aa85-4d65-a0f0-74fe0331edce","UserId":"jones@wazuh.com","CorrelationId":"52d1c99f-3000-2000-df13-3ab1e8fb9f92","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T19:44:57.832Z","Id":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","Operation":"Get-ComplianceSearchAction","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"e8493b26-c1f9-42eb-9756-dfd363149852","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T23:53:16.633Z","Id":"a8080009-aa85-4d65-a0f0-74fe0331edce","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":18,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"207.45.34.78","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T14:58:48.995Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-ComplianceSearchAction","OrganizationId":"a8080009-aa85-4d65-a0f0-74fe0331edce","RecordType":18,"ResultStatus":"Failed","UserKey":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"williams@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T12:56:08.935Z","Id":"4f686e03-7cf6-44a8-9212-b8a91b128082","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","UserId":"frank@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T06:31:26.808Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Get-ComplianceSearchAction","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":18,"ResultStatus":"PartiallySucceeded","UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":2,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","UserId":"smith@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-Export \"\"","Parameters":"-Export \"True\"","StartTime":"2021-05-18T17:50:15","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T20:49:56.126Z","Id":"6d872bf8-e462-4de8-9e16-c36761050fb7","Operation":"Get-SupervisoryReviewOverallProgressReport","OrganizationId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","RecordType":18,"ResultStatus":"Failed","UserKey":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:30","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T17:44:42.397Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ListUpdated","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":36,"UserKey":"b9a73c0f-55f2-4e95-9626-1c264d02eac3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"frank@wazuh.com","CorrelationId":"48d1c99f-f0a8-2000-da82-41be3f973267","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"119","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Canada","location":{"lat":49.2496605,"lon":-123.119339},"region_name":"Vancouver","city_name":"Vancouver"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T21:23:57.920Z","Id":"d36253fb-24a1-481c-a199-f778534ccb5f","Operation":"Remove-UnifiedGroup","OrganizationId":"825f9d6e-12c0-4b59-807d-1b41c6e48a3a","RecordType":1,"ResultStatus":"Failed","UserKey":"cc58e817-c6d3-4457-b011-54e881e230ec","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.2","ObjectId":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserId":"brown@wazuh.com","AppId":"00000003-0000-0ff1-ce00-000000000000","ClientAppId":"00000003-0000-0ff1-ce00-000000000000","ExternalAccess":false,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR04MB6125 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"b47e06bf-895d-48c4-8ae4-a0fdc60ec249"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-26T13:15:20.109Z","Id":"e8493b26-c1f9-42eb-9756-dfd363149852","Operation":"Change user license.","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":8,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"ce013f05-a783-4186-9d85-5a14998b6111","UserId":"jones@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-27T21:21:39.590Z","Id":"b5359092-dad2-4060-b93d-3791e4da0dec","Operation":"ClientViewSignaled","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":4,"UserKey":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserType":2,"Version":1,"Workload":"SharePoint","ClientIP":"13.226.52.66","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","CorrelationId":"53d1c99f-b0aa-2000-df13-3efea9e41071","CustomUniqueId":false,"EventSource":"SharePoint","ItemType":"Page","ListId":"e4c9ce2e-d8c2-468e-baf5-f362f8c2f2f3","ListItemUniqueId":"36db3168-c1b2-44e9-9ffd-e9a8e04bb2f5","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Data Insights REST API events.","id":"91580","mail":false,"firedtimes":4,"groups":["office365","DataInsightsRestApiAudit","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T06:39:31.646Z","Id":"49fd4642-cfe5-4170-9488-25d847e3579f","Operation":"ValidaterbacAccessCheck","OrganizationId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","RecordType":52,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":0,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"jones@wazuh.com","AadAppId":"d6fdaa33-e821-4211-83d0-cf74736489e1","DataType":"rbacAccessCheck","RelativeUrl":"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b","ResultCount":"0","Subscription":"Audit.General","ResultStatus":"Failed","ObjectId":"9083369e-679b-4e8b-9249-323a51d5bf9c","ClientIP":"77.231.182.17"}},"location":"office365","GeoLocation":{"country_name":"Brasil","location":{"lat":-22.9064198,"lon":-43.1822319},"region_name":"Río de Janeiro","city_name":"Río de Janeiro"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint sharing events.","id":"91544","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T14:07:36.046Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"AddedToGroup","OrganizationId":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","RecordType":14,"UserKey":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"cc58e817-c6d3-4457-b011-54e881e230ec","UserId":"jones@wazuh.com","CorrelationId":"f1d0c99f-3094-2000-da82-454f034ca629","EventSource":"SharePoint","ItemType":"Web","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","EventData":"Site Owners","TargetUserOrGroupType":"Member","SiteUrl":"https://wazuh.sharepoint.com/sites/TestSharePoint","TargetUserOrGroupName":"SHAREPOINT\\system","Subscription":"Audit.SharePoint","ResultStatus":"Succeeded"}},"location":"office365","GeoLocation":{"country_name":"France","location":{"lat":48.8534088,"lon":2.3487999},"region_name":"Paris","city_name":"Paris"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T05:55:23.675Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-ComplianceSearch","OrganizationId":"a0995136-91d8-4acf-8449-28c275ffb7e3","RecordType":18,"ResultStatus":"Failed","UserKey":"b5359092-dad2-4060-b93d-3791e4da0dec","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"-ResultSize \"Unlimited\"","Parameters":"-ResultSize \"Unlimited\"","StartTime":"2021-05-18T17:50:12","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"13.226.52.104"}},"location":"office365","GeoLocation":{"country_name":"China","location":{"lat":31.222,"lon":121.458},"region_name":"Shanghai","city_name":"Shanghai"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Events from the Exchange admin audit log.","id":"91533","mail":false,"firedtimes":3,"groups":["office365","ExchangeAdmin","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T08:38:24.670Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Set-UnifiedGroup","OrganizationId":"bbab91ad-bc8a-4c86-9010-3c84b39fde0d","RecordType":1,"ResultStatus":"Failed","UserKey":"6d872bf8-e462-4de8-9e16-c36761050fb7","UserType":4,"Version":1,"Workload":"Exchange","ClientIP":"13.226.52.66","ObjectId":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","UserId":"jones@wazuh.com","AppId":"61109738-7d2b-4a0b-9fe3-660b1ff83505","ClientAppId":"","ExternalAccess":true,"OrganizationName":"wazuh.testytest.com","OriginatingServer":"VI1PR0402MB3326 (15.20.4129.033)","Parameters":[{"Name":"Identity","Value":"MGZlYTRlMDMtODE0Ni00NTNiLWI4ODktNTRiNGJkMTE1NjViXDFlYjFjNjZhLTRhYWQtNGY2Mi04NjAzLTdjMDRkZTIxYWE3Mg2"},{"Name":"EmailAddresses","Value":"smtp:TestSharePoint@wazuh.testytest.com;SMTP:TestSharePoint@wazuh.com"},{"Name":"IncludeSoftDeletedObjects","Value":"True"}],"SessionId":"","Subscription":"Audit.Exchange"}},"location":"office365","GeoLocation":{"country_name":"Germany","location":{"lat":52.524,"lon":13.411},"region_name":"Berlin","city_name":"Berlin"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"197.17.1.4","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-02-28T22:56:36.267Z","Id":"a0995136-91d8-4acf-8449-28c275ffb7e3","Operation":"Update user.","OrganizationId":"9083369e-679b-4e8b-9249-323a51d5bf9c","RecordType":8,"ResultStatus":"Failed","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":2,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"13.226.52.66"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Office 365: Admin actions from the Security and Compliance Center.","id":"91548","mail":false,"firedtimes":3,"groups":["office365","SecurityComplianceCenterEOPCmdlet","hipaa_164.312.b","pci_dss_10.2.2","pci_dss_10.6.1"]},"agent":{"id":"000","ip":"10.0.0.180","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T15:41:01.659Z","Id":"9083369e-679b-4e8b-9249-323a51d5bf9c","Operation":"Get-SupervisoryReviewPolicyV2","OrganizationId":"e8493b26-c1f9-42eb-9756-dfd363149852","RecordType":18,"ResultStatus":"Succeeded","UserKey":"c3482b5d-b1a9-4f44-8df0-a601e18cf5c3","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserId":"jones@wazuh.com","SecurityComplianceCenterEventType":0,"ClientApplication":"EMC","CmdletVersion":"...","EffectiveOrganization":"wazuh.testytest.com","NonPIIParameters":"","Parameters":"","StartTime":"2021-05-18T15:52:26","UserServicePlan":"","Subscription":"Audit.General","ClientIP":"172.217.204.94"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint List events.","id":"91564","mail":false,"firedtimes":3,"groups":["office365","SharePointListOperation","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"24.273.97.14","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-03T23:52:56.239Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"ListViewed","OrganizationId":"4f686e03-7cf6-44a8-9212-b8a91b128082","RecordType":36,"UserKey":"d14aa5cb-b070-42f8-8709-0f8afd942fc0","UserType":4,"Version":1,"Workload":"SharePoint","ClientIP":"108.177.13.101","ObjectId":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserId":"jones@wazuh.com","CorrelationId":"f9d0c99f-b04f-2000-da82-4bb2abf6168f","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","CustomizedDoclib":false,"FromApp":true,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","Source":"Unknown","TemplateTypeId":"","ListTitle":"fd2ebaf0-900b-4dff-8fc2-d348be51e677","Subscription":"Audit.SharePoint","ResultStatus":"Failed"}},"location":"office365","GeoLocation":{"country_name":"Australia","location":{"lat":-33.8678513,"lon":151.2073212},"region_name":"Sydney","city_name":"Sydney"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: SharePoint events.","id":"91536","mail":false,"firedtimes":3,"groups":["office365","SharePoint","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"145.80.240.15","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-01T07:42:04.621Z","Id":"ce013f05-a783-4186-9d85-5a14998b6111","Operation":"PageViewedExtended","OrganizationId":"ce013f05-a783-4186-9d85-5a14998b6111","RecordType":4,"UserKey":"ca2044fc-32ca-478b-8b0d-ff6fdd3b1e5a","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"140.82.113.3","ObjectId":"d36253fb-24a1-481c-a199-f778534ccb5f","UserId":"brown@wazuh.com","CorrelationId":"b4d1c99f-0043-2000-da82-41b63e1d91f4","EventSource":"SharePoint","ItemType":"Page","Site":"dd58ef08-faea-4cb5-847a-35bb5c01e757","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36","WebId":"00c32555-e0d8-425f-9fbd-ef5539bfecf7","Subscription":"Audit.SharePoint","ResultStatus":"PartiallySucceeded"}},"location":"office365","GeoLocation":{"country_name":"Spain","location":{"lat":37.1881714,"lon":-3.6066699},"region_name":"Andalucía","city_name":"Granada"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"47.204.15.21","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-02T19:08:46.551Z","Id":"29f96271-5c1b-47ec-9652-a41d5cb17cb4","Operation":"Update user.","OrganizationId":"cc58e817-c6d3-4457-b011-54e881e230ec","RecordType":8,"ResultStatus":"Failed","UserKey":"d36253fb-24a1-481c-a199-f778534ccb5f","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","UserId":"williams@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AssignedLicense","NewValue":"[\r\n \"[SkuName=POWER_BI_STANDARD, AccountId=0fea4e03-8146-453b-b889-54b4bd11565b, SkuId=a403ebcc-fae0-4ca2-8c8c-7a907fd6c235, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n {\r\n \"SubscribedPlanId\": \"c976d07f-fd0f-49eb-bdc2-26c17481e1c5\",\r\n \"ServiceInstance\": \"AzureAnalysis/SDF\",\r\n \"CapabilityStatus\": 0,\r\n \"AssignedTimestamp\": \"2021-05-18T21:42:25.3894164Z\",\r\n \"InitialState\": null,\r\n \"Capability\": null,\r\n \"ServicePlanId\": \"2049e525-b859-401b-b2a0-e0a31c4b1fe4\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AssignedLicense, AssignedPlan","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3},{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"1fd09d6b-54d3-4a58-acfe-71cc2c429d97","IntraSystemId":"0a8ae201-e404-4f6f-99db-a3c92a5bd022","SupportTicketId":"","Target":[{"ID":"User_910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"910ed5ca-4ecf-414c-a1be-d53511bfe1a5","Type":2},{"ID":"User","Type":2},{"ID":"fake@email.not","Type":5},{"ID":"100320014080D3AD","Type":3}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"140.82.113.3"}},"location":"office365","GeoLocation":{"country_name":"India","location":{"lat":19.0728302,"lon":72.8826065},"region_name":"Bombay","city_name":"Bombay"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Office 365: Azure Active Directory events.","id":"91539","mail":false,"firedtimes":3,"groups":["office365","AzureActiveDirectory","hipaa_164.312.b","pci_dss_10.6.2"]},"agent":{"id":"000","ip":"187.54.247.68","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"integration":"Office365","office365":{"CreationTime":"2023-03-04T21:54:20.823Z","Id":"cc58e817-c6d3-4457-b011-54e881e230ec","Operation":"Add service principal.","OrganizationId":"4e93c8e3-52c1-4a4e-ab69-9e61ccf6cd00","RecordType":8,"ResultStatus":"Succeeded","UserKey":"92a7e893-0f4a-4635-af0d-83891d4ff9c0","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ObjectId":"a0995136-91d8-4acf-8449-28c275ffb7e3","UserId":"brown@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n true\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"Marketplace Api\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n \"f738ef14-47dc-4564-b53b-45069484ccc7\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"1c5aa04b-dea5-4284-9908-47edd1e12d13\"\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"f738ef14-47dc-4564-b53b-45069484ccc7","OldValue":""}],"Actor":[{"ID":"Windows Azure Service Management API","Type":1},{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":2},{"ID":"ServicePrincipal_4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"4bf80788-0ec4-481a-ae7b-b71647bf3b57","Type":2},{"ID":"ServicePrincipal","Type":2}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","InterSystemsId":"9cfba3bb-b478-44aa-a140-465ee7f29274","IntraSystemId":"21051805-2413-594a-ab5d-006014005348","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"f6d2eabc-d020-4643-80a8-2b92b163d1de","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Marketplace Api","Type":1},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":2},{"ID":"f738ef14-47dc-4564-b53b-45069484ccc7","Type":4}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","Subscription":"Audit.AzureActiveDirectory","ClientIP":"108.177.13.101"}},"location":"office365","GeoLocation":{"country_name":"United States of America","location":{"lat":40.7142715,"lon":-74.0059662},"region_name":"New York","city_name":"New York"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'etc/rc.d/init.d/rc.modules'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'etc/rc.d/init.d/rc.modules'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/httpd'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/httpd'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/ldu'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/ldu'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'etc/rc.d/init.d/rc.modules'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'etc/rc.d/init.d/rc.modules'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'dev/srd0'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'dev/srd0'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'dev/hd7'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'dev/hd7'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'dev/hd7'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'dev/hd7'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/httpd'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/httpd'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/ldd.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/ldd.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/ldu'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/ldu'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'dev/hd7'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'dev/hd7'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/ldu'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/ldu'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/httpd'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/httpd'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/httpd'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/httpd'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'dev/srd0'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'dev/srd0'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.wormie'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/ishit'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/ishit'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'dev/srd0'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'dev/srd0'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/atm'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/atm'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/ddc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/ddc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/ddc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/ddc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'dev/hd7'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'dev/hd7'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/ldd.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/ldd.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/ddc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/ddc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/ldu'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/ldu'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/atm'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'usr/bin/atm'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file 'usr/bin/soucemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/kr4p'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/ldd.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/ldd.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/lkillall'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mclzaKmfa'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'etc/rc.d/init.d/rc.modules'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'etc/rc.d/init.d/rc.modules'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/ldd.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/ldd.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/include/addr.h'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file '/usr/share/.zk'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record attempts to alter time through settimeofday (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27216-1 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_settimeofday:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday","title":"Record attempts to alter time through settimeofday","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure auditd to use audispd's syslog plugin (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 136 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27341-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"},"description":"To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart","id":"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated","title":"Configure auditd to use audispd's syslog plugin","rationale":"The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Network Environment (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 5.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27076-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_networkconfig_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification","title":"Record Events that Modify the System's Network Environment","rationale":"The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Minimum Length (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010280 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 205 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000078-GPOS-00046 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27293-0 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_minlen:def:1"},"description":"The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen","title":"Set Password Minimum Length","rationale":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Enable Smart Card Login (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010500 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-2(2) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 765 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 766 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 767 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 768 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 771 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 772 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-8.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000104-GPOS-00051 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000106-GPOS-00053 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000107-GPOS-00054 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000109-GPOS-00056 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00055 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00057 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000108-GPOS-00058 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx)","identifiers":"CCE-80207-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-smartcard_auth:def:1"},"description":"To enable smart card authentication, consult the documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/solutions/82273","id":"xccdf_org.ssgproject.content_rule_smartcard_auth","title":"Enable Smart Card Login","rationale":"Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on the Use of Privileged Commands (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030360 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-6(9) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2234 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000327-GPOS-00127 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27437-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_privileged_commands:def:1"},"description":"At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged","id":"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands","title":"Ensure auditd Collects Information on the Use of Privileged Commands","rationale":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Maximum Age (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010250 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(g) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 199 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000076-GPOS-00044 (), Req-8.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.4.1.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27051-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_maximum_age_login_defs:def:1"},"description":"To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .","id":"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs","title":"Set Password Maximum Age","rationale":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP Report overview: Score less than 80","groups":["oscap","oscap-report"],"id":"81542","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"75.000000","profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587603934\", content: \"ssg-rhel-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"xccdf_org.ssgproject.content_profile_common\", profile-title: \"Common Profile for General-Purpose Systems\", score: \"75.000000\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27347-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_unsuccessful_file_modification:def:1"},"description":"At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access","id":"xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification","title":"Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)","rationale":"Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Lockout Time For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 002238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26884-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time","title":"Set Lockout Time For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Verify and Correct File Permissions with RPM (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010010 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-9(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1494 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1496 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.2.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.6 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.7 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.1.9 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 6.2.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000257-GPOS-00098 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000278-GPOS-00108 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.4.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.3.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.4.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27209-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-rpm_verify_permissions:def:1"},"description":"Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions, ownership, and gruop membership of system files and commands match vendor values. Check the file permissions, ownership, and group membership with the following command: $ sudo rpm -Va | grep '^.M' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME","id":"xccdf_org.ssgproject.content_rule_rpm_verify_permissions","title":"Verify and Correct File Permissions with RPM","rationale":"Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects System Administrator Actions (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030700 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(7)(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), iAU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), Req-10.2.5.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), SRG-OS-000037-GPOS-00015 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000462-GPOS-00206 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000471-GPOS-00215 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27461-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_sysadmin_actions:def:1"},"description":"At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions","id":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions","title":"Ensure auditd Collects System Administrator Actions","rationale":"The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Limit Password Reuse (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010270 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(f) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 200 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000077-GPOS-00045 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.6.2.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.5.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-26923-3 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_unix_remember:def:1"},"description":"Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember= for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember= The DoD STIG requirement is 5 passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember","title":"Limit Password Reuse","rationale":"Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Digit Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010140 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 194 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000071-GPOS-00039 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27214-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_dcredit:def:1"},"description":"The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit","title":"Set Password Strength Minimum Digit Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Configure Periodic Execution of AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-020030 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(5) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 1744 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000363-GPOS-00150 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-26952-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-aide_periodic_cron_checking:def:1"},"description":"At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.","id":"xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking","title":"Configure Periodic Execution of AIDE","rationale":"By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: Prevent Log In to Accounts With Empty Password (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"high","references":"RHEL-07-010290 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-6 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000480-GPOS-00227 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.5.2 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf), 3.1.5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27286-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-no_empty_passwords:def:1"},"description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.","id":"xccdf_org.ssgproject.content_rule_no_empty_passwords","title":"Prevent Log In to Accounts With Empty Password","rationale":"If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - chown (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030370 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 126 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000474-GPOS-00219 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27364-9 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_chown:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown","title":"Record Events that Modify the System's Discretionary Access Controls - chown","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Deny For Failed Password Attempts (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010320 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-7(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 2238 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000329-GPOS-00128 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000021-GPOS-00005 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.1.6 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.3 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.5.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.8 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27350-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_passwords_pam_faillock_deny:def:1"},"description":"To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so","id":"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny","title":"Set Deny For Failed Password Attempts","rationale":"Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"},"full_log":"oscap: msg: \"xccdf-overview\", scan-id: \"0001587604016\", content: \"cve-redhat-7-ds.xml\", benchmark-id: \"{data.oscap.scan.benhmark.id}\", profile-id: \"No profile\", profile-title: \"No profile\", score: \"99.814812\"."} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Uppercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010120 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 192 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000069-GPOS-00037 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 6.3.2 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)","identifiers":"CCE-27200-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_ucredit:def:1"},"description":"The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit","title":"Set Password Strength Minimum Uppercase Characters","rationale":"Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Exporting to Media (successful) (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030740 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-3(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 135 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000042-GPOS-00020 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.13 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27447-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_media_export:def:1"},"description":"At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export","id":"xccdf_org.ssgproject.content_rule_audit_rules_media_export","title":"Ensure auditd Collects Information on Exporting to Media (successful)","rationale":"The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":4,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects File Deletion Events by User (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.14 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 366 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27206-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_file_deletion_events:def:1"},"description":"At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete","id":"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events","title":"Ensure auditd Collects File Deletion Events by User","rationale":"Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":9,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Set Password Strength Minimum Lowercase Characters (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-010130 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), IA-5(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IA-5(1)(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 193 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), SRG-OS-000070-GPOS-00038 (), Req-8.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)","identifiers":"CCE-27345-8 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-accounts_password_pam_lcredit:def:1"},"description":"The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.","id":"xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit","title":"Set Password Strength Minimum Lowercase Characters","rationale":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Logon and Logout Events (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2884 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.8 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27204-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_login_events:def:1"},"description":"The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins","id":"xccdf_org.ssgproject.content_rule_audit_rules_login_events","title":"Record Attempts to Alter Logon and Logout Events","rationale":"Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":6,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify the System's Discretionary Access Controls - removexattr (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"RHEL-07-030470 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.5.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.10 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000064-GPOS-00033 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000392-GPOS-00172 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000458-GPOS-00203 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27367-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_dac_modification_removexattr:def:1"},"description":"At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod","id":"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr","title":"Record Events that Modify the System's Discretionary Access Controls - removexattr","rationale":"The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27129-6 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_kernel_module_loading:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules","id":"xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading","title":"Ensure auditd Collects Information on Kernel Module Loading and Unloading","rationale":"The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":5,"mail":false,"level":7,"pci_dss":["2.2"],"description":"OpenSCAP: Install AIDE (not passed)","groups":["oscap","oscap-result"],"id":"81530","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"medium","references":"CM-3(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-3(e) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), CM-6(3) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-28 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SI-7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-11.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1.3.1 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 5.10.1.3 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf)","identifiers":"CCE-27096-7 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-package_aide_installed:def:1"},"description":"Install the AIDE package with the command: $ sudo yum install aide","id":"xccdf_org.ssgproject.content_rule_package_aide_installed","title":"Install AIDE","rationale":"The AIDE package must be installed if it is to be available for integrity checking."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":3,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter the localtime File (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27310-2 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_watch_localtime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime","title":"Record Attempts to Alter the localtime File","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":7,"mail":false,"level":3,"pci_dss":["2.2"],"description":"OpenSCAP Report overview.","groups":["oscap","oscap-report"],"id":"81540","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"score":"99.814812","profile":{"id":"No profile","title":"No profile"},"id":"0001587574647","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":8,"mail":false,"level":9,"pci_dss":["2.2"],"description":"OpenSCAP: RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) (not passed)","groups":["oscap","oscap-result"],"id":"81531","nist_800_53":["CM.1"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"No profile","title":"No profile"},"id":"0001587604016","content":"cve-redhat-7-ds.xml","benchmark":{"id":"xccdf_com.redhat.rhsa_benchmark_generated-xccdf"}},"check":{"result":"fail","severity":"high","identifiers":"CVE-2016-5195 (http://cve.mitre.org), CVE-2016-7039 (http://cve.mitre.org), CVE-2016-8666 (http://cve.mitre.org)","oval":{"id":"oval:com.redhat.rhsa:def:20170372"},"id":"xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20170372","title":"RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important)"}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Events that Modify User/Group Information (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_pci-dss","title":"PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"},"id":"0001587603717","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"RHEL-07-030710 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx), AC-2(4) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 18 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1403 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 2130 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.2.5 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.5 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), SRG-OS-000004-GPOS-00004 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000239-GPOS-00089 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00090 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000241-GPOS-00091 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000303-GPOS-00120 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), SRG-OS-000476-GPOS-00221 (http://iase.disa.mil/stigs/srgs/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27192-4 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_usergroup_modification:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification","id":"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification","title":"Record Events that Modify User/Group Information","rationale":"In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":10,"mail":false,"level":5,"pci_dss":["2.2"],"description":"OpenSCAP: Record Attempts to Alter Time Through clock_settime (not passed)","groups":["oscap","oscap-result"],"id":"81529","nist_800_53":["CM.1"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"parent":"oscap","name":"oscap"},"data":{"oscap":{"scan":{"profile":{"id":"xccdf_org.ssgproject.content_profile_common","title":"Common Profile for General-Purpose Systems"},"id":"0001587603934","content":"ssg-rhel-7-ds.xml","benchmark":{"id":"xccdf_org.ssgproject.content_benchmark_RHEL-7"}},"check":{"result":"fail","severity":"low","references":"AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 5.2.4 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), Req-10.4.2.b (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 1487 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 169 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)","identifiers":"CCE-27219-5 (https://nvd.nist.gov/cce/index.cfm)","oval":{"id":"oval:ssg-audit_rules_time_clock_settime:def:1"},"description":"If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules","id":"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime","title":"Record Attempts to Alter Time Through clock_settime","rationale":"Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited."}}},"location":"wodle_open-scap","input":{"type":"log"}} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"1279","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":34,"rule_title":"CIS-CAT 2","notchecked":4,"score":96,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"1526","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 2","notchecked":4,"score":11,"pass":8,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"1209","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 4","notchecked":2,"score":75,"pass":100,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"1175","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":83,"rule_title":"CIS-CAT 3","notchecked":3,"score":12,"pass":12,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"1984","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":98,"rule_title":"CIS-CAT 4","notchecked":1,"score":47,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"1524","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":60,"rule_title":"CIS-CAT 6","notchecked":3,"score":90,"pass":13,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"2461","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 6","notchecked":3,"score":13,"pass":49,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"301","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 2","notchecked":5,"score":91,"pass":87,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"4632","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 5","notchecked":4,"score":30,"pass":63,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"2893","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 6","notchecked":5,"score":60,"pass":75,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"1946","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 2","notchecked":2,"score":52,"pass":26,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"1271","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":27,"rule_title":"CIS-CAT 3","notchecked":1,"score":76,"pass":73,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"3745","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":45,"rule_title":"CIS-CAT 1","notchecked":4,"score":67,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"3485","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":69,"rule_title":"CIS-CAT 3","notchecked":1,"score":26,"pass":48,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"2786","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 5","notchecked":0,"score":42,"pass":3,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"3972","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":61,"rule_title":"CIS-CAT 3","notchecked":0,"score":100,"pass":87,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"4588","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 4","notchecked":0,"score":27,"pass":21,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"2809","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":38,"rule_title":"CIS-CAT 6","notchecked":5,"score":46,"pass":62,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"794","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 6","notchecked":2,"score":88,"pass":98,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"5162","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":72,"rule_title":"CIS-CAT 3","notchecked":4,"score":72,"pass":35,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"81","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":31,"rule_title":"CIS-CAT 1","notchecked":0,"score":54,"pass":30,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"2343","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 4","notchecked":4,"score":30,"pass":7,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"2340","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 4","notchecked":5,"score":63,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"290","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 6","notchecked":3,"score":10,"pass":14,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"3707","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":49,"rule_title":"CIS-CAT 4","notchecked":3,"score":9,"pass":95,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"753","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":14,"rule_title":"CIS-CAT 5","notchecked":1,"score":69,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"827","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":88,"rule_title":"CIS-CAT 5","notchecked":1,"score":68,"pass":93,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":38,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"1196","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":88,"rule_title":"CIS-CAT 1","notchecked":0,"score":93,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":19,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"3382","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":86,"rule_title":"CIS-CAT 1","notchecked":0,"score":80,"pass":7,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"139","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":79,"rule_title":"CIS-CAT 1","notchecked":1,"score":16,"pass":80,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"732","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":4,"rule_title":"CIS-CAT 4","notchecked":1,"score":83,"pass":50,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"698","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":53,"rule_title":"CIS-CAT 6","notchecked":5,"score":44,"pass":51,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"2607","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":82,"rule_title":"CIS-CAT 1","notchecked":3,"score":47,"pass":24,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"3315","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 6","notchecked":3,"score":5,"pass":49,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"1688","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":7,"rule_title":"CIS-CAT 5","notchecked":4,"score":48,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"2504","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":54,"rule_title":"CIS-CAT 2","notchecked":2,"score":5,"pass":89,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":92,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"2966","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":6,"rule_title":"CIS-CAT 4","notchecked":5,"score":92,"pass":35,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"1763","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":77,"rule_title":"CIS-CAT 3","notchecked":0,"score":99,"pass":48,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"2339","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":54,"rule_title":"CIS-CAT 1","notchecked":4,"score":96,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"532","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":27,"rule_title":"CIS-CAT 1","notchecked":5,"score":22,"pass":36,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"737","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 2","notchecked":1,"score":91,"pass":61,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"2669","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":39,"rule_title":"CIS-CAT 3","notchecked":0,"score":57,"pass":94,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"2895","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 6","notchecked":4,"score":75,"pass":29,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":82,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"5305","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 4","notchecked":2,"score":51,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"4504","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 3","notchecked":3,"score":93,"pass":43,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":31,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"207","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 1","notchecked":1,"score":67,"pass":16,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"3139","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":77,"rule_title":"CIS-CAT 2","notchecked":3,"score":0,"pass":93,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"3489","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":93,"rule_title":"CIS-CAT 2","notchecked":5,"score":79,"pass":83,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"3341","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":13,"rule_title":"CIS-CAT 4","notchecked":2,"score":84,"pass":24,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"370","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":39,"rule_title":"CIS-CAT 1","notchecked":1,"score":68,"pass":2,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"1414","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":74,"rule_title":"CIS-CAT 4","notchecked":2,"score":3,"pass":14,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"1978","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 1","notchecked":5,"score":0,"pass":78,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":74,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"3787","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":79,"rule_title":"CIS-CAT 1","notchecked":4,"score":58,"pass":9,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"1121","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":83,"rule_title":"CIS-CAT 1","notchecked":3,"score":16,"pass":31,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 4","id":"4852","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 4","notchecked":4,"score":80,"pass":39,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":44,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"2802","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":8,"rule_title":"CIS-CAT 6","notchecked":1,"score":82,"pass":0,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"1211","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 5","notchecked":4,"score":5,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"4700","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":25,"rule_title":"CIS-CAT 6","notchecked":5,"score":95,"pass":26,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"4398","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 5","notchecked":5,"score":49,"pass":57,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":13,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"1975","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":24,"rule_title":"CIS-CAT 1","notchecked":3,"score":99,"pass":80,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"1654","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 6","notchecked":3,"score":8,"pass":45,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"1153","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 2","notchecked":1,"score":35,"pass":40,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"2318","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":89,"rule_title":"CIS-CAT 3","notchecked":4,"score":58,"pass":65,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"2162","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 3","notchecked":5,"score":32,"pass":27,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":37,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"2319","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":87,"rule_title":"CIS-CAT 3","notchecked":3,"score":25,"pass":41,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"830","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":93,"rule_title":"CIS-CAT 5","notchecked":1,"score":2,"pass":61,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"2202","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 5","notchecked":5,"score":19,"pass":60,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"1047","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 2","notchecked":3,"score":19,"pass":63,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":71,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"5332","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 6","notchecked":4,"score":17,"pass":47,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"2933","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":90,"rule_title":"CIS-CAT 6","notchecked":2,"score":94,"pass":17,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"518","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":37,"rule_title":"CIS-CAT 1","notchecked":5,"score":43,"pass":6,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":87,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"599","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 4","notchecked":5,"score":49,"pass":34,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"1822","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":93,"rule_title":"CIS-CAT 6","notchecked":4,"score":73,"pass":84,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"2213","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":78,"rule_title":"CIS-CAT 2","notchecked":5,"score":29,"pass":80,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"3427","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":11,"rule_title":"CIS-CAT 4","notchecked":0,"score":83,"pass":87,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"4854","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 6","notchecked":3,"score":31,"pass":64,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":73,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"315","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 5","notchecked":4,"score":41,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"2330","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 2","notchecked":3,"score":59,"pass":7,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"4213","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":94,"rule_title":"CIS-CAT 5","notchecked":1,"score":27,"pass":57,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"5392","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 6","notchecked":0,"score":85,"pass":32,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"2006","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 6","notchecked":2,"score":97,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"3099","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":73,"rule_title":"CIS-CAT 1","notchecked":3,"score":73,"pass":89,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"5166","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 5","notchecked":3,"score":55,"pass":55,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"632","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":6,"rule_title":"CIS-CAT 4","notchecked":1,"score":78,"pass":69,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"1435","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":49,"rule_title":"CIS-CAT 4","notchecked":1,"score":75,"pass":16,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"1488","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 4","notchecked":4,"score":49,"pass":21,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"2666","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":32,"rule_title":"CIS-CAT 2","notchecked":0,"score":65,"pass":52,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"2299","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":5,"rule_title":"CIS-CAT 2","notchecked":2,"score":93,"pass":2,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"740","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 6","notchecked":4,"score":74,"pass":69,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":13,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"3141","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":15,"rule_title":"CIS-CAT 6","notchecked":5,"score":24,"pass":71,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"3955","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":22,"rule_title":"CIS-CAT 3","notchecked":1,"score":68,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"2924","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":0,"rule_title":"CIS-CAT 4","notchecked":1,"score":68,"pass":55,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"1364","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 3","notchecked":1,"score":53,"pass":56,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 4","id":"968","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 5","notchecked":0,"score":75,"pass":54,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 5","id":"3551","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":83,"rule_title":"CIS-CAT 1","notchecked":1,"score":93,"pass":11,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"3618","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 2","notchecked":0,"score":9,"pass":0,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"344","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":24,"rule_title":"CIS-CAT 1","notchecked":0,"score":2,"pass":13,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"5627","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":90,"rule_title":"CIS-CAT 6","notchecked":1,"score":66,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":1,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"784","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 6","notchecked":3,"score":94,"pass":5,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"1163","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 4","notchecked":0,"score":7,"pass":6,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"3016","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":6,"rule_title":"CIS-CAT 3","notchecked":2,"score":63,"pass":52,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"3899","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":88,"rule_title":"CIS-CAT 3","notchecked":3,"score":4,"pass":100,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"3489","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":92,"rule_title":"CIS-CAT 6","notchecked":0,"score":13,"pass":23,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"4610","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 4","notchecked":5,"score":46,"pass":37,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"1958","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":73,"rule_title":"CIS-CAT 2","notchecked":0,"score":1,"pass":65,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"5351","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":34,"rule_title":"CIS-CAT 6","notchecked":3,"score":9,"pass":72,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":80,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"3041","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 3","notchecked":4,"score":44,"pass":15,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":80,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"4581","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":82,"rule_title":"CIS-CAT 6","notchecked":0,"score":88,"pass":12,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"5583","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 5","notchecked":4,"score":32,"pass":10,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"3937","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 1","notchecked":1,"score":58,"pass":23,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"3090","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":25,"rule_title":"CIS-CAT 4","notchecked":5,"score":96,"pass":30,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"1407","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":82,"rule_title":"CIS-CAT 1","notchecked":0,"score":69,"pass":20,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":79,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"3180","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":1,"rule_title":"CIS-CAT 2","notchecked":3,"score":93,"pass":95,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"5206","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 6","notchecked":1,"score":34,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"3460","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":59,"rule_title":"CIS-CAT 2","notchecked":0,"score":68,"pass":35,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"4596","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":93,"rule_title":"CIS-CAT 6","notchecked":5,"score":76,"pass":84,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":44,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"4197","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 4","notchecked":0,"score":94,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"3491","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":73,"rule_title":"CIS-CAT 2","notchecked":5,"score":100,"pass":36,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"4314","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":71,"rule_title":"CIS-CAT 3","notchecked":5,"score":65,"pass":10,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"2826","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 6","notchecked":1,"score":15,"pass":29,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"2060","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":40,"rule_title":"CIS-CAT 4","notchecked":4,"score":3,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"4223","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 1","notchecked":4,"score":5,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"1263","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 2","notchecked":2,"score":49,"pass":12,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"1176","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":8,"rule_title":"CIS-CAT 4","notchecked":5,"score":20,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"178","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":11,"rule_title":"CIS-CAT 4","notchecked":3,"score":67,"pass":90,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"4678","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":98,"rule_title":"CIS-CAT 3","notchecked":4,"score":78,"pass":25,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"3010","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 5","notchecked":1,"score":59,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":19,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"2656","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 6","notchecked":0,"score":86,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"5980","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":75,"rule_title":"CIS-CAT 6","notchecked":0,"score":71,"pass":1,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"4450","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 6","notchecked":4,"score":59,"pass":75,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"4589","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 3","notchecked":0,"score":81,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"1167","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":41,"rule_title":"CIS-CAT 6","notchecked":5,"score":26,"pass":7,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"4422","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 1","notchecked":2,"score":39,"pass":88,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"206","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":96,"rule_title":"CIS-CAT 5","notchecked":4,"score":46,"pass":48,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"1777","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":5,"rule_title":"CIS-CAT 2","notchecked":0,"score":81,"pass":99,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"1872","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":92,"rule_title":"CIS-CAT 4","notchecked":2,"score":83,"pass":38,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"1783","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":3,"score":69,"pass":48,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":44,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"793","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 6","notchecked":5,"score":91,"pass":37,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":82,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"3058","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":32,"rule_title":"CIS-CAT 5","notchecked":3,"score":56,"pass":32,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"2589","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 5","notchecked":5,"score":87,"pass":82,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"4528","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":9,"rule_title":"CIS-CAT 4","notchecked":5,"score":37,"pass":5,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"4538","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":96,"rule_title":"CIS-CAT 4","notchecked":0,"score":63,"pass":79,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"5097","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":18,"rule_title":"CIS-CAT 5","notchecked":3,"score":79,"pass":7,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"2820","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 6","notchecked":3,"score":98,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"1005","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 6","notchecked":1,"score":95,"pass":85,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 1","id":"2320","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":76,"rule_title":"CIS-CAT 5","notchecked":2,"score":25,"pass":10,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"4849","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":61,"rule_title":"CIS-CAT 6","notchecked":0,"score":51,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"1387","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":1,"rule_title":"CIS-CAT 1","notchecked":3,"score":2,"pass":24,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"4266","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 5","notchecked":5,"score":96,"pass":64,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"2158","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":29,"rule_title":"CIS-CAT 2","notchecked":2,"score":73,"pass":68,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"2772","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 1","notchecked":2,"score":31,"pass":56,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"5498","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 6","notchecked":0,"score":23,"pass":82,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"4086","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 2","notchecked":4,"score":57,"pass":81,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"5854","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 3","notchecked":3,"score":44,"pass":56,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"3635","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 5","notchecked":2,"score":13,"pass":52,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"1144","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":43,"rule_title":"CIS-CAT 2","notchecked":3,"score":12,"pass":30,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"5479","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 1","notchecked":5,"score":61,"pass":93,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"3486","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":71,"rule_title":"CIS-CAT 6","notchecked":0,"score":85,"pass":50,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":44,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"2558","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":77,"rule_title":"CIS-CAT 5","notchecked":4,"score":10,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"3892","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 2","notchecked":1,"score":56,"pass":43,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"2990","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":37,"rule_title":"CIS-CAT 5","notchecked":2,"score":48,"pass":77,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":82,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"4581","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":54,"rule_title":"CIS-CAT 6","notchecked":5,"score":89,"pass":58,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"146","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":9,"rule_title":"CIS-CAT 1","notchecked":1,"score":82,"pass":60,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"4542","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 5","notchecked":3,"score":78,"pass":36,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"4512","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":23,"rule_title":"CIS-CAT 3","notchecked":4,"score":96,"pass":49,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"5801","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 5","notchecked":2,"score":63,"pass":54,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"661","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":8,"rule_title":"CIS-CAT 6","notchecked":5,"score":23,"pass":25,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":53,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"2903","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":5,"rule_title":"CIS-CAT 5","notchecked":4,"score":92,"pass":66,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"1589","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":4,"rule_title":"CIS-CAT 4","notchecked":3,"score":13,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"278","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":10,"rule_title":"CIS-CAT 1","notchecked":5,"score":26,"pass":92,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"5607","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":59,"rule_title":"CIS-CAT 4","notchecked":1,"score":15,"pass":94,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"3840","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 5","notchecked":5,"score":8,"pass":90,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":37,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"5003","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 1","notchecked":2,"score":94,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":56,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"310","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":82,"rule_title":"CIS-CAT 2","notchecked":0,"score":67,"pass":19,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"4413","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 6","notchecked":2,"score":89,"pass":5,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"5597","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 4","notchecked":1,"score":24,"pass":11,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"2086","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":71,"rule_title":"CIS-CAT 1","notchecked":3,"score":18,"pass":23,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"1632","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":61,"rule_title":"CIS-CAT 4","notchecked":1,"score":95,"pass":84,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":37,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"2902","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":9,"rule_title":"CIS-CAT 6","notchecked":4,"score":11,"pass":51,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"4497","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":4,"rule_title":"CIS-CAT 4","notchecked":4,"score":51,"pass":12,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"801","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":42,"rule_title":"CIS-CAT 5","notchecked":1,"score":34,"pass":78,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":92,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"4328","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 1","notchecked":4,"score":8,"pass":99,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"796","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 1","notchecked":5,"score":32,"pass":89,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"3053","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":3,"rule_title":"CIS-CAT 2","notchecked":4,"score":45,"pass":55,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 2","id":"1503","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 5","notchecked":3,"score":18,"pass":18,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"3826","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 4","notchecked":5,"score":10,"pass":53,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"1531","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":53,"rule_title":"CIS-CAT 1","notchecked":2,"score":20,"pass":32,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"5595","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 6","notchecked":0,"score":34,"pass":23,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"2164","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 4","notchecked":4,"score":34,"pass":39,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"3200","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 4","notchecked":0,"score":28,"pass":92,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"202","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 1","notchecked":0,"score":57,"pass":59,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"2192","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":74,"rule_title":"CIS-CAT 6","notchecked":3,"score":73,"pass":65,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"2589","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":52,"rule_title":"CIS-CAT 2","notchecked":0,"score":82,"pass":94,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"2778","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":35,"rule_title":"CIS-CAT 3","notchecked":3,"score":93,"pass":58,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"1364","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":19,"rule_title":"CIS-CAT 5","notchecked":2,"score":2,"pass":0,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"590","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":59,"rule_title":"CIS-CAT 1","notchecked":2,"score":35,"pass":62,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"4771","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":17,"rule_title":"CIS-CAT 3","notchecked":0,"score":43,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"4434","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 6","notchecked":1,"score":99,"pass":30,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"1113","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 2","notchecked":2,"score":82,"pass":93,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"1778","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 1","notchecked":3,"score":34,"pass":24,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"4427","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":78,"rule_title":"CIS-CAT 6","notchecked":4,"score":24,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"2633","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":87,"rule_title":"CIS-CAT 5","notchecked":0,"score":71,"pass":24,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"1587","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":63,"rule_title":"CIS-CAT 6","notchecked":4,"score":98,"pass":23,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"1531","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":56,"rule_title":"CIS-CAT 1","notchecked":4,"score":67,"pass":9,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"4959","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 6","notchecked":0,"score":5,"pass":26,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"3366","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":60,"rule_title":"CIS-CAT 4","notchecked":0,"score":32,"pass":62,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"2926","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":47,"rule_title":"CIS-CAT 3","notchecked":0,"score":18,"pass":53,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"4803","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":79,"rule_title":"CIS-CAT 1","notchecked":1,"score":99,"pass":96,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"1621","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 6","notchecked":3,"score":39,"pass":16,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"768","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 1","notchecked":3,"score":72,"pass":71,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"2176","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 4","notchecked":3,"score":38,"pass":13,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"1491","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":38,"rule_title":"CIS-CAT 1","notchecked":5,"score":14,"pass":88,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"3658","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 3","notchecked":5,"score":64,"pass":79,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"905","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":29,"rule_title":"CIS-CAT 1","notchecked":4,"score":68,"pass":32,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 3","id":"2622","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":62,"rule_title":"CIS-CAT 5","notchecked":0,"score":43,"pass":31,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"4356","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":79,"rule_title":"CIS-CAT 5","notchecked":0,"score":2,"pass":96,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"2843","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 3","notchecked":0,"score":91,"pass":69,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"5641","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":82,"rule_title":"CIS-CAT 6","notchecked":0,"score":25,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"3018","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":91,"rule_title":"CIS-CAT 4","notchecked":5,"score":6,"pass":59,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"3746","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 3","notchecked":1,"score":66,"pass":31,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"3155","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 1","notchecked":3,"score":23,"pass":39,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"44","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 6","notchecked":5,"score":39,"pass":13,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"4376","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":81,"rule_title":"CIS-CAT 4","notchecked":5,"score":52,"pass":21,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"394","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 2","notchecked":2,"score":33,"pass":55,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"4590","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":35,"rule_title":"CIS-CAT 6","notchecked":2,"score":59,"pass":96,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"3052","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":76,"rule_title":"CIS-CAT 4","notchecked":5,"score":6,"pass":39,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"2962","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":32,"rule_title":"CIS-CAT 1","notchecked":4,"score":31,"pass":75,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":53,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 4","id":"1004","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":17,"rule_title":"CIS-CAT 1","notchecked":2,"score":99,"pass":47,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"2397","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":91,"rule_title":"CIS-CAT 3","notchecked":4,"score":11,"pass":23,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"3583","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":81,"rule_title":"CIS-CAT 4","notchecked":4,"score":20,"pass":28,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"501","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 6","notchecked":5,"score":26,"pass":51,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 2","id":"3410","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":74,"rule_title":"CIS-CAT 2","notchecked":5,"score":76,"pass":1,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"251","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":37,"rule_title":"CIS-CAT 2","notchecked":4,"score":25,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"4595","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":53,"rule_title":"CIS-CAT 2","notchecked":4,"score":11,"pass":50,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"3933","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 6","notchecked":1,"score":4,"pass":47,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"4556","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":63,"rule_title":"CIS-CAT 4","notchecked":2,"score":21,"pass":13,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"1866","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 1","notchecked":1,"score":6,"pass":67,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":74,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"637","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":17,"rule_title":"CIS-CAT 5","notchecked":1,"score":86,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"1552","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 1","notchecked":2,"score":96,"pass":5,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"2295","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 1","notchecked":1,"score":64,"pass":99,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"2149","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 3","notchecked":0,"score":98,"pass":66,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"636","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":10,"rule_title":"CIS-CAT 3","notchecked":4,"score":63,"pass":87,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"633","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":22,"rule_title":"CIS-CAT 1","notchecked":1,"score":96,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"535","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":79,"rule_title":"CIS-CAT 5","notchecked":5,"score":31,"pass":73,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":1,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"5551","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":91,"rule_title":"CIS-CAT 2","notchecked":3,"score":68,"pass":99,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"1164","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 5","notchecked":4,"score":46,"pass":77,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"3571","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":77,"rule_title":"CIS-CAT 6","notchecked":3,"score":34,"pass":17,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"2445","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":1,"rule_title":"CIS-CAT 5","notchecked":3,"score":7,"pass":23,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"3089","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":83,"rule_title":"CIS-CAT 4","notchecked":2,"score":92,"pass":74,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":73,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"886","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":87,"rule_title":"CIS-CAT 6","notchecked":2,"score":83,"pass":25,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"5133","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 2","notchecked":2,"score":93,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"1612","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":69,"rule_title":"CIS-CAT 6","notchecked":5,"score":17,"pass":60,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":87,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"5043","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":86,"rule_title":"CIS-CAT 3","notchecked":3,"score":8,"pass":44,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"2291","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":45,"rule_title":"CIS-CAT 3","notchecked":4,"score":16,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":87,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"3303","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 4","notchecked":3,"score":13,"pass":93,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"3207","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 1","notchecked":0,"score":83,"pass":74,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"4024","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":50,"rule_title":"CIS-CAT 3","notchecked":0,"score":82,"pass":16,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"653","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":24,"rule_title":"CIS-CAT 6","notchecked":4,"score":100,"pass":2,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":71,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"1193","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":35,"rule_title":"CIS-CAT 3","notchecked":5,"score":6,"pass":86,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"2312","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 4","notchecked":1,"score":77,"pass":68,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"679","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":15,"rule_title":"CIS-CAT 4","notchecked":3,"score":3,"pass":46,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"2502","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 5","notchecked":1,"score":60,"pass":93,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"5752","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 2","notchecked":5,"score":46,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 4","id":"5009","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":8,"rule_title":"CIS-CAT 3","notchecked":2,"score":5,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 3","id":"333","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 2","notchecked":1,"score":10,"pass":96,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"1022","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 5","notchecked":1,"score":44,"pass":28,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"4797","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":11,"rule_title":"CIS-CAT 6","notchecked":0,"score":47,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"5899","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":75,"rule_title":"CIS-CAT 4","notchecked":0,"score":44,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 1","id":"515","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 1","notchecked":1,"score":91,"pass":64,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 1","id":"270","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 6","notchecked":0,"score":46,"pass":36,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"4776","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":96,"rule_title":"CIS-CAT 4","notchecked":3,"score":31,"pass":34,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"356","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 1","notchecked":5,"score":27,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"5100","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":53,"rule_title":"CIS-CAT 4","notchecked":4,"score":32,"pass":13,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"5676","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":87,"rule_title":"CIS-CAT 5","notchecked":4,"score":9,"pass":49,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"75","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 5","notchecked":1,"score":66,"pass":75,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"10","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":39,"rule_title":"CIS-CAT 2","notchecked":3,"score":98,"pass":73,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"1391","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 6","notchecked":4,"score":81,"pass":90,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"3404","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 3","notchecked":0,"score":38,"pass":25,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":61,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"2859","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 5","notchecked":3,"score":98,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"1594","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 5","notchecked":0,"score":39,"pass":96,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"1704","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":21,"rule_title":"CIS-CAT 5","notchecked":3,"score":36,"pass":44,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"289","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":9,"rule_title":"CIS-CAT 4","notchecked":4,"score":28,"pass":12,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"3668","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":98,"rule_title":"CIS-CAT 4","notchecked":3,"score":23,"pass":67,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"3104","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":60,"rule_title":"CIS-CAT 3","notchecked":5,"score":24,"pass":25,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"1104","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 5","notchecked":1,"score":4,"pass":4,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"4656","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 4","notchecked":5,"score":84,"pass":12,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"2124","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":13,"rule_title":"CIS-CAT 6","notchecked":5,"score":41,"pass":26,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"2594","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":86,"rule_title":"CIS-CAT 2","notchecked":5,"score":43,"pass":17,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"398","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":63,"rule_title":"CIS-CAT 1","notchecked":5,"score":20,"pass":98,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"4910","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":33,"rule_title":"CIS-CAT 4","notchecked":0,"score":68,"pass":79,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"3760","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":13,"rule_title":"CIS-CAT 6","notchecked":4,"score":7,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"271","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 6","notchecked":2,"score":33,"pass":55,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"5623","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 1","notchecked":3,"score":96,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"2706","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":80,"rule_title":"CIS-CAT 3","notchecked":4,"score":31,"pass":2,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"3482","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 1","notchecked":0,"score":55,"pass":27,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"139","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":35,"rule_title":"CIS-CAT 1","notchecked":4,"score":27,"pass":75,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 5","id":"1336","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":16,"rule_title":"CIS-CAT 3","notchecked":5,"score":65,"pass":66,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"2070","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 2","notchecked":3,"score":43,"pass":64,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":19,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"1482","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":43,"rule_title":"CIS-CAT 2","notchecked":4,"score":26,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"3464","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":54,"rule_title":"CIS-CAT 4","notchecked":1,"score":36,"pass":21,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"5780","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":47,"rule_title":"CIS-CAT 6","notchecked":3,"score":29,"pass":28,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"3728","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 1","notchecked":1,"score":19,"pass":35,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"3262","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":91,"rule_title":"CIS-CAT 4","notchecked":3,"score":61,"pass":72,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"3493","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 5","notchecked":3,"score":35,"pass":1,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"2203","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":93,"rule_title":"CIS-CAT 1","notchecked":5,"score":82,"pass":77,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"1468","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 4","notchecked":4,"score":92,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"2142","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":61,"rule_title":"CIS-CAT 1","notchecked":0,"score":39,"pass":74,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"1310","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 1","notchecked":5,"score":93,"pass":30,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"1677","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":86,"rule_title":"CIS-CAT 6","notchecked":5,"score":36,"pass":86,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"4337","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 5","notchecked":5,"score":87,"pass":12,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"1495","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":56,"rule_title":"CIS-CAT 2","notchecked":2,"score":56,"pass":37,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"749","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":32,"rule_title":"CIS-CAT 5","notchecked":3,"score":29,"pass":32,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"2083","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 4","notchecked":3,"score":85,"pass":100,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 3","id":"2328","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":34,"rule_title":"CIS-CAT 3","notchecked":1,"score":79,"pass":88,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"3239","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 6","notchecked":2,"score":45,"pass":14,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"4375","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":59,"rule_title":"CIS-CAT 5","notchecked":1,"score":67,"pass":4,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"4107","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":77,"rule_title":"CIS-CAT 3","notchecked":2,"score":77,"pass":39,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"3309","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":53,"rule_title":"CIS-CAT 4","notchecked":0,"score":49,"pass":5,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":58,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"1610","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":77,"rule_title":"CIS-CAT 1","notchecked":5,"score":68,"pass":70,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"5376","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":82,"rule_title":"CIS-CAT 4","notchecked":0,"score":49,"pass":20,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"2169","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":38,"rule_title":"CIS-CAT 1","notchecked":1,"score":48,"pass":41,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"2260","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 3","notchecked":1,"score":26,"pass":50,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"5530","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 4","notchecked":0,"score":98,"pass":7,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"3690","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 6","notchecked":2,"score":26,"pass":65,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"5225","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":81,"rule_title":"CIS-CAT 1","notchecked":0,"score":7,"pass":98,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"4328","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 6","notchecked":2,"score":100,"pass":0,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"4528","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":11,"rule_title":"CIS-CAT 1","notchecked":5,"score":53,"pass":75,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"3265","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":52,"rule_title":"CIS-CAT 2","notchecked":3,"score":35,"pass":35,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"4557","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":56,"rule_title":"CIS-CAT 4","notchecked":3,"score":46,"pass":51,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"1906","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 6","notchecked":0,"score":75,"pass":100,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"679","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 4","notchecked":5,"score":71,"pass":67,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"819","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 1","notchecked":3,"score":23,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"5842","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 5","notchecked":3,"score":19,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":74,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"124","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 5","notchecked":5,"score":4,"pass":51,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"1452","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":59,"rule_title":"CIS-CAT 2","notchecked":0,"score":70,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"702","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":64,"rule_title":"CIS-CAT 3","notchecked":3,"score":88,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"1837","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":4,"rule_title":"CIS-CAT 3","notchecked":3,"score":41,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"1454","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 6","notchecked":5,"score":70,"pass":72,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"2844","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 5","notchecked":2,"score":14,"pass":81,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"4279","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":4,"score":71,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"2960","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":27,"rule_title":"CIS-CAT 5","notchecked":4,"score":62,"pass":30,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"5647","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":36,"rule_title":"CIS-CAT 3","notchecked":0,"score":47,"pass":42,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"1094","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":33,"rule_title":"CIS-CAT 1","notchecked":5,"score":30,"pass":85,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"4207","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":87,"rule_title":"CIS-CAT 3","notchecked":5,"score":48,"pass":8,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":53,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"1234","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 5","notchecked":0,"score":79,"pass":65,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"1633","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 5","notchecked":0,"score":100,"pass":19,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"3866","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 4","notchecked":2,"score":61,"pass":13,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"3589","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 4","notchecked":4,"score":49,"pass":50,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"5890","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 6","notchecked":3,"score":93,"pass":60,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"4650","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 2","notchecked":3,"score":66,"pass":8,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":53,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"4646","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 4","notchecked":0,"score":18,"pass":74,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"42","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 2","notchecked":2,"score":5,"pass":50,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":73,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"1654","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 5","notchecked":0,"score":39,"pass":91,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":31,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"5800","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 5","notchecked":3,"score":27,"pass":4,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"5374","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 6","notchecked":0,"score":62,"pass":1,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"4844","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":100,"rule_title":"CIS-CAT 5","notchecked":4,"score":7,"pass":80,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"5613","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 3","notchecked":0,"score":12,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"2189","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":19,"rule_title":"CIS-CAT 5","notchecked":1,"score":47,"pass":7,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"5323","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":44,"rule_title":"CIS-CAT 6","notchecked":4,"score":96,"pass":67,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 4","id":"4851","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":14,"rule_title":"CIS-CAT 6","notchecked":3,"score":41,"pass":99,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"2686","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 6","notchecked":1,"score":31,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"5781","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 5","notchecked":0,"score":99,"pass":27,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"1181","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 5","notchecked":3,"score":50,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"3636","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":98,"rule_title":"CIS-CAT 2","notchecked":4,"score":85,"pass":4,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"3588","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 3","notchecked":0,"score":90,"pass":50,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":53,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"227","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 2","notchecked":0,"score":37,"pass":81,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"2056","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":42,"rule_title":"CIS-CAT 1","notchecked":3,"score":15,"pass":98,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"3772","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 3","notchecked":3,"score":95,"pass":98,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"4792","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 6","notchecked":0,"score":15,"pass":12,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"5209","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 4","notchecked":3,"score":69,"pass":37,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"5949","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":40,"rule_title":"CIS-CAT 5","notchecked":2,"score":95,"pass":84,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"2470","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 1","notchecked":2,"score":66,"pass":90,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"2937","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":3,"rule_title":"CIS-CAT 1","notchecked":0,"score":15,"pass":22,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"785","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 3","notchecked":0,"score":82,"pass":58,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"4759","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 4","notchecked":3,"score":98,"pass":76,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"5079","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 6","notchecked":4,"score":26,"pass":50,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"3413","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 1","notchecked":4,"score":14,"pass":77,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"4310","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":76,"rule_title":"CIS-CAT 4","notchecked":1,"score":89,"pass":53,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"1294","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 1","notchecked":4,"score":66,"pass":59,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"682","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":90,"rule_title":"CIS-CAT 3","notchecked":0,"score":38,"pass":27,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":38,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"5028","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":91,"rule_title":"CIS-CAT 2","notchecked":1,"score":21,"pass":41,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"559","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":53,"rule_title":"CIS-CAT 1","notchecked":2,"score":94,"pass":62,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"5670","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":9,"rule_title":"CIS-CAT 1","notchecked":0,"score":23,"pass":26,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"5753","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":56,"rule_title":"CIS-CAT 4","notchecked":4,"score":23,"pass":0,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":71,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"1075","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 2","notchecked":3,"score":32,"pass":18,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":92,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"2145","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 5","notchecked":1,"score":35,"pass":61,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"3021","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":63,"rule_title":"CIS-CAT 5","notchecked":2,"score":39,"pass":5,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"914","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 1","notchecked":5,"score":58,"pass":32,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"3765","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 5","notchecked":2,"score":44,"pass":40,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"5662","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":81,"rule_title":"CIS-CAT 2","notchecked":1,"score":13,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"356","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":63,"rule_title":"CIS-CAT 5","notchecked":2,"score":17,"pass":70,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"873","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":27,"rule_title":"CIS-CAT 2","notchecked":0,"score":89,"pass":85,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"3883","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 5","notchecked":5,"score":91,"pass":79,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":74,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"2861","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 2","notchecked":4,"score":97,"pass":69,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"3075","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":86,"rule_title":"CIS-CAT 6","notchecked":4,"score":44,"pass":72,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"102","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":80,"rule_title":"CIS-CAT 3","notchecked":3,"score":13,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"5919","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":97,"rule_title":"CIS-CAT 1","notchecked":4,"score":10,"pass":67,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"5283","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":7,"rule_title":"CIS-CAT 6","notchecked":4,"score":67,"pass":94,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"5863","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 1","notchecked":3,"score":64,"pass":91,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"1347","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 2","notchecked":0,"score":67,"pass":71,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"3124","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 2","notchecked":1,"score":44,"pass":73,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"4233","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":3,"rule_title":"CIS-CAT 4","notchecked":2,"score":63,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"1075","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 3","notchecked":5,"score":98,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"4659","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":22,"rule_title":"CIS-CAT 5","notchecked":2,"score":62,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"764","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 2","notchecked":1,"score":68,"pass":59,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"1582","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 3","notchecked":5,"score":24,"pass":15,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"2583","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":13,"rule_title":"CIS-CAT 5","notchecked":2,"score":93,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"3767","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 5","notchecked":0,"score":87,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"1473","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 4","notchecked":4,"score":41,"pass":49,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"812","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 2","notchecked":5,"score":59,"pass":45,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"3333","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":4,"rule_title":"CIS-CAT 3","notchecked":1,"score":32,"pass":96,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"2329","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":69,"rule_title":"CIS-CAT 4","notchecked":0,"score":7,"pass":19,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"2625","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":77,"rule_title":"CIS-CAT 3","notchecked":3,"score":89,"pass":88,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"827","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":32,"rule_title":"CIS-CAT 3","notchecked":5,"score":88,"pass":90,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"4132","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":52,"rule_title":"CIS-CAT 5","notchecked":1,"score":91,"pass":28,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":80,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"4096","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 3","notchecked":4,"score":68,"pass":67,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"4208","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":56,"rule_title":"CIS-CAT 2","notchecked":3,"score":41,"pass":93,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"4324","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":47,"rule_title":"CIS-CAT 4","notchecked":2,"score":88,"pass":12,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"561","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 3","notchecked":0,"score":2,"pass":28,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"558","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 3","notchecked":5,"score":89,"pass":91,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"4714","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":44,"rule_title":"CIS-CAT 3","notchecked":1,"score":74,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"420","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":13,"rule_title":"CIS-CAT 1","notchecked":5,"score":0,"pass":43,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":87,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 2","id":"4024","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 1","notchecked":4,"score":67,"pass":66,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"584","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":33,"rule_title":"CIS-CAT 1","notchecked":0,"score":23,"pass":39,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"4583","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 4","notchecked":4,"score":75,"pass":87,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"5693","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":69,"rule_title":"CIS-CAT 6","notchecked":4,"score":41,"pass":68,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 1","id":"4683","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 6","notchecked":1,"score":51,"pass":6,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":87,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"2263","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":83,"rule_title":"CIS-CAT 6","notchecked":2,"score":77,"pass":96,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"2289","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":4,"score":88,"pass":30,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"2217","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 3","notchecked":0,"score":86,"pass":35,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"3488","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 6","notchecked":1,"score":30,"pass":61,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"5010","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 1","notchecked":4,"score":82,"pass":13,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"3588","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 6","notchecked":5,"score":17,"pass":57,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"4830","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 3","notchecked":3,"score":78,"pass":47,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"2829","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 3","notchecked":4,"score":6,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":82,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"992","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 6","notchecked":1,"score":76,"pass":91,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"5998","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":37,"rule_title":"CIS-CAT 4","notchecked":2,"score":7,"pass":55,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"705","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":49,"rule_title":"CIS-CAT 5","notchecked":1,"score":5,"pass":60,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":53,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"5011","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 6","notchecked":2,"score":92,"pass":91,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"970","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":96,"rule_title":"CIS-CAT 6","notchecked":4,"score":35,"pass":87,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"2709","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 3","notchecked":5,"score":31,"pass":34,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"4328","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 6","notchecked":0,"score":94,"pass":32,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"2973","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":74,"rule_title":"CIS-CAT 6","notchecked":5,"score":20,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"3017","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 2","notchecked":4,"score":49,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"854","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":34,"rule_title":"CIS-CAT 1","notchecked":2,"score":64,"pass":97,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"3575","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":24,"rule_title":"CIS-CAT 6","notchecked":2,"score":65,"pass":26,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"5811","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":0,"rule_title":"CIS-CAT 5","notchecked":3,"score":58,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"2121","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 2","notchecked":1,"score":99,"pass":77,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"1596","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":51,"rule_title":"CIS-CAT 1","notchecked":1,"score":27,"pass":98,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"2466","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 6","notchecked":4,"score":4,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"719","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 1","notchecked":4,"score":86,"pass":83,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":74,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"5165","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 5","notchecked":4,"score":48,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"1199","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 1","notchecked":2,"score":72,"pass":96,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"1081","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":21,"rule_title":"CIS-CAT 3","notchecked":5,"score":45,"pass":37,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"3739","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":5,"rule_title":"CIS-CAT 3","notchecked":2,"score":42,"pass":47,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"1506","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":1,"rule_title":"CIS-CAT 4","notchecked":1,"score":0,"pass":96,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"2066","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":77,"rule_title":"CIS-CAT 6","notchecked":3,"score":16,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"2930","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 1","notchecked":3,"score":59,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":1,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"1688","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":81,"rule_title":"CIS-CAT 6","notchecked":4,"score":2,"pass":84,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"4476","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":86,"rule_title":"CIS-CAT 4","notchecked":4,"score":89,"pass":39,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"2472","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 4","notchecked":3,"score":57,"pass":65,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"4140","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":59,"rule_title":"CIS-CAT 6","notchecked":4,"score":73,"pass":80,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"5621","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":17,"rule_title":"CIS-CAT 3","notchecked":0,"score":16,"pass":33,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"549","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":53,"rule_title":"CIS-CAT 3","notchecked":2,"score":86,"pass":98,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"269","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":22,"rule_title":"CIS-CAT 2","notchecked":3,"score":45,"pass":80,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"2145","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":94,"rule_title":"CIS-CAT 5","notchecked":4,"score":26,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"701","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 5","notchecked":3,"score":9,"pass":43,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"5783","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":10,"rule_title":"CIS-CAT 1","notchecked":4,"score":79,"pass":79,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"3156","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 5","notchecked":1,"score":36,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"5143","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":10,"rule_title":"CIS-CAT 5","notchecked":3,"score":10,"pass":1,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"3781","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 4","notchecked":4,"score":52,"pass":76,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"611","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 1","notchecked":0,"score":46,"pass":51,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"1033","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 3","notchecked":1,"score":83,"pass":27,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"493","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 2","notchecked":5,"score":4,"pass":27,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"4063","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 2","notchecked":0,"score":87,"pass":54,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"4754","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":54,"rule_title":"CIS-CAT 3","notchecked":3,"score":98,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"5448","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 2","notchecked":2,"score":97,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"5939","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":44,"rule_title":"CIS-CAT 3","notchecked":1,"score":34,"pass":31,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"3559","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":18,"rule_title":"CIS-CAT 5","notchecked":2,"score":62,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"738","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":34,"rule_title":"CIS-CAT 2","notchecked":5,"score":28,"pass":92,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"5668","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 1","notchecked":3,"score":89,"pass":76,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"2988","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":29,"rule_title":"CIS-CAT 1","notchecked":1,"score":97,"pass":34,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"1136","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 6","notchecked":5,"score":83,"pass":64,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"2286","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":26,"rule_title":"CIS-CAT 5","notchecked":4,"score":7,"pass":37,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"2009","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 1","notchecked":4,"score":58,"pass":59,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"2241","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 6","notchecked":4,"score":62,"pass":53,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"889","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":6,"rule_title":"CIS-CAT 4","notchecked":4,"score":55,"pass":79,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"153","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 2","notchecked":0,"score":18,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"267","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 4","notchecked":1,"score":83,"pass":93,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"4668","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 1","notchecked":3,"score":19,"pass":3,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"321","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 6","notchecked":2,"score":80,"pass":58,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"2747","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":17,"rule_title":"CIS-CAT 2","notchecked":2,"score":13,"pass":37,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":38,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"3399","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 5","notchecked":1,"score":20,"pass":38,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 5","id":"3001","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":13,"rule_title":"CIS-CAT 4","notchecked":1,"score":88,"pass":20,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"3317","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":8,"rule_title":"CIS-CAT 1","notchecked":0,"score":49,"pass":56,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"4065","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":63,"rule_title":"CIS-CAT 5","notchecked":4,"score":19,"pass":23,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"3347","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 3","notchecked":1,"score":38,"pass":57,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"2938","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":1,"score":55,"pass":15,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"448","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":60,"rule_title":"CIS-CAT 6","notchecked":4,"score":20,"pass":23,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"3752","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 1","notchecked":0,"score":36,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":92,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"2264","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":98,"rule_title":"CIS-CAT 3","notchecked":5,"score":95,"pass":32,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":31,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"2159","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 6","notchecked":1,"score":52,"pass":60,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"1021","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":53,"rule_title":"CIS-CAT 6","notchecked":3,"score":54,"pass":76,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"2028","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":17,"rule_title":"CIS-CAT 2","notchecked":4,"score":6,"pass":34,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"5376","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 5","notchecked":4,"score":2,"pass":24,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"4899","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":35,"rule_title":"CIS-CAT 4","notchecked":4,"score":47,"pass":6,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"4214","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 5","notchecked":5,"score":98,"pass":52,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"947","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":26,"rule_title":"CIS-CAT 5","notchecked":0,"score":37,"pass":19,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"5115","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 2","notchecked":3,"score":45,"pass":90,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":58,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"1311","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 2","notchecked":5,"score":1,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"4757","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":47,"rule_title":"CIS-CAT 4","notchecked":0,"score":17,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":92,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"5866","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":74,"rule_title":"CIS-CAT 4","notchecked":2,"score":1,"pass":44,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"1575","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 2","notchecked":1,"score":11,"pass":32,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":61,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"3564","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":40,"rule_title":"CIS-CAT 4","notchecked":0,"score":47,"pass":33,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"3602","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 5","notchecked":0,"score":77,"pass":3,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"4122","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":40,"rule_title":"CIS-CAT 3","notchecked":3,"score":49,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"4656","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":82,"rule_title":"CIS-CAT 2","notchecked":5,"score":80,"pass":57,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"3613","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 2","notchecked":5,"score":53,"pass":32,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"2432","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":88,"rule_title":"CIS-CAT 3","notchecked":3,"score":91,"pass":39,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":13,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"260","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":52,"rule_title":"CIS-CAT 2","notchecked":5,"score":84,"pass":91,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"197","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":33,"rule_title":"CIS-CAT 1","notchecked":5,"score":18,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":53,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"26","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 5","notchecked":2,"score":45,"pass":68,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"1000","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":14,"rule_title":"CIS-CAT 1","notchecked":5,"score":31,"pass":38,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"3124","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 6","notchecked":4,"score":59,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"4453","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":1,"score":100,"pass":2,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"137","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 2","notchecked":2,"score":71,"pass":54,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":79,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"2841","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":18,"rule_title":"CIS-CAT 5","notchecked":3,"score":32,"pass":20,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"950","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 5","notchecked":1,"score":29,"pass":89,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"5286","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 5","notchecked":1,"score":20,"pass":71,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"2562","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 4","notchecked":2,"score":63,"pass":27,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"4700","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":32,"rule_title":"CIS-CAT 3","notchecked":2,"score":64,"pass":16,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"174","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 5","notchecked":5,"score":83,"pass":78,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":1,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"2479","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":75,"rule_title":"CIS-CAT 3","notchecked":2,"score":11,"pass":71,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"3649","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 1","notchecked":4,"score":48,"pass":79,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"3486","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 3","notchecked":5,"score":81,"pass":35,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"3672","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":79,"rule_title":"CIS-CAT 2","notchecked":0,"score":14,"pass":42,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"3758","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 5","notchecked":0,"score":8,"pass":99,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"423","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":94,"rule_title":"CIS-CAT 3","notchecked":4,"score":87,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"3813","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 5","notchecked":2,"score":48,"pass":64,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"3529","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 5","notchecked":1,"score":83,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":58,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"4277","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 3","notchecked":1,"score":0,"pass":32,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"4651","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 4","notchecked":5,"score":56,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"2346","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":17,"rule_title":"CIS-CAT 6","notchecked":4,"score":79,"pass":77,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"2141","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":41,"rule_title":"CIS-CAT 6","notchecked":1,"score":10,"pass":47,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"3691","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":61,"rule_title":"CIS-CAT 5","notchecked":4,"score":29,"pass":14,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"4868","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 3","notchecked":5,"score":85,"pass":7,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"3503","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 6","notchecked":1,"score":0,"pass":99,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"2466","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 3","notchecked":0,"score":83,"pass":39,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"5375","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 4","notchecked":2,"score":60,"pass":51,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"5779","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 2","notchecked":5,"score":90,"pass":60,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"5825","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":61,"rule_title":"CIS-CAT 5","notchecked":2,"score":71,"pass":30,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"3779","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":13,"rule_title":"CIS-CAT 1","notchecked":0,"score":83,"pass":26,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"14","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 5","notchecked":2,"score":4,"pass":2,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"4149","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 1","notchecked":5,"score":21,"pass":20,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"4526","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":5,"rule_title":"CIS-CAT 6","notchecked":3,"score":98,"pass":87,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"2118","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 4","notchecked":3,"score":43,"pass":70,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"1725","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 2","notchecked":3,"score":41,"pass":25,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"3072","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":1,"score":52,"pass":8,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"3349","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":96,"rule_title":"CIS-CAT 5","notchecked":0,"score":0,"pass":61,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"3551","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":64,"rule_title":"CIS-CAT 2","notchecked":1,"score":35,"pass":60,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"821","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":27,"rule_title":"CIS-CAT 3","notchecked":5,"score":58,"pass":94,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"1690","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":78,"rule_title":"CIS-CAT 5","notchecked":4,"score":11,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"4610","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 1","notchecked":2,"score":68,"pass":77,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":37,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"2660","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 5","notchecked":5,"score":20,"pass":66,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"5903","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":62,"rule_title":"CIS-CAT 2","notchecked":4,"score":58,"pass":59,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"2971","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 3","notchecked":4,"score":70,"pass":1,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"4461","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":79,"rule_title":"CIS-CAT 1","notchecked":0,"score":38,"pass":29,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 2","id":"5988","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":98,"rule_title":"CIS-CAT 1","notchecked":4,"score":14,"pass":12,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":19,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"2217","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":35,"rule_title":"CIS-CAT 4","notchecked":4,"score":43,"pass":73,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"450","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":77,"rule_title":"CIS-CAT 4","notchecked":5,"score":75,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"397","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 1","notchecked":2,"score":44,"pass":54,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"1568","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":34,"rule_title":"CIS-CAT 3","notchecked":2,"score":44,"pass":55,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"3790","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 6","notchecked":2,"score":55,"pass":97,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"2139","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 1","notchecked":5,"score":32,"pass":24,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"3862","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 5","notchecked":2,"score":1,"pass":2,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"186","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 6","notchecked":3,"score":56,"pass":30,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"412","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 6","notchecked":5,"score":59,"pass":93,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":13,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"33","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":23,"rule_title":"CIS-CAT 6","notchecked":3,"score":1,"pass":0,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"2692","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":39,"rule_title":"CIS-CAT 2","notchecked":4,"score":39,"pass":20,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"824","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 2","notchecked":3,"score":59,"pass":48,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"3744","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 4","notchecked":2,"score":1,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"5773","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 2","notchecked":0,"score":81,"pass":59,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":13,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"3670","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":31,"rule_title":"CIS-CAT 3","notchecked":2,"score":11,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":37,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"1188","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 5","notchecked":1,"score":76,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"1664","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 1","notchecked":4,"score":68,"pass":82,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":44,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"487","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 2","notchecked":3,"score":76,"pass":36,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"3012","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":23,"rule_title":"CIS-CAT 1","notchecked":4,"score":44,"pass":6,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"3776","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 6","notchecked":1,"score":94,"pass":4,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"671","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":89,"rule_title":"CIS-CAT 2","notchecked":4,"score":23,"pass":34,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"1545","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":93,"rule_title":"CIS-CAT 4","notchecked":4,"score":58,"pass":28,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"427","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":62,"rule_title":"CIS-CAT 5","notchecked":1,"score":73,"pass":72,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"3987","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 3","notchecked":3,"score":3,"pass":48,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":56,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"4796","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":35,"rule_title":"CIS-CAT 4","notchecked":1,"score":82,"pass":4,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"2058","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 1","notchecked":4,"score":35,"pass":64,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"5269","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":24,"rule_title":"CIS-CAT 5","notchecked":1,"score":51,"pass":7,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"5482","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":87,"rule_title":"CIS-CAT 6","notchecked":2,"score":68,"pass":15,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"2093","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 5","notchecked":1,"score":68,"pass":6,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"5895","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":80,"rule_title":"CIS-CAT 1","notchecked":0,"score":15,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":38,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"3220","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":29,"rule_title":"CIS-CAT 3","notchecked":3,"score":26,"pass":41,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"3945","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":31,"rule_title":"CIS-CAT 1","notchecked":4,"score":23,"pass":95,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"3886","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 4","notchecked":5,"score":93,"pass":3,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"2195","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 1","notchecked":2,"score":40,"pass":75,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"716","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 6","notchecked":3,"score":15,"pass":36,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"4764","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":60,"rule_title":"CIS-CAT 2","notchecked":5,"score":60,"pass":11,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"2963","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 4","notchecked":2,"score":23,"pass":24,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"3794","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 4","notchecked":3,"score":95,"pass":76,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"410","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":82,"rule_title":"CIS-CAT 3","notchecked":4,"score":61,"pass":31,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"4813","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":69,"rule_title":"CIS-CAT 6","notchecked":2,"score":68,"pass":4,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":82,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"866","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 1","notchecked":5,"score":21,"pass":86,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":82,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"831","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 5","notchecked":0,"score":41,"pass":21,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"270","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":29,"rule_title":"CIS-CAT 6","notchecked":3,"score":68,"pass":27,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"1937","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 3","notchecked":0,"score":24,"pass":25,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"1794","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":98,"rule_title":"CIS-CAT 5","notchecked":4,"score":43,"pass":16,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"1316","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":73,"rule_title":"CIS-CAT 4","notchecked":4,"score":41,"pass":28,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"717","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":0,"rule_title":"CIS-CAT 3","notchecked":0,"score":44,"pass":46,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"5102","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 3","notchecked":5,"score":15,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"1872","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 5","notchecked":5,"score":60,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"3181","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":79,"rule_title":"CIS-CAT 6","notchecked":5,"score":63,"pass":53,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"5318","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":69,"rule_title":"CIS-CAT 5","notchecked":3,"score":32,"pass":78,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"2805","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 4","notchecked":1,"score":74,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"505","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 4","notchecked":3,"score":85,"pass":20,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"4159","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 6","notchecked":3,"score":23,"pass":43,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":38,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"5875","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":14,"rule_title":"CIS-CAT 6","notchecked":0,"score":83,"pass":68,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"4318","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 2","notchecked":5,"score":36,"pass":11,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"4003","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 2","notchecked":3,"score":75,"pass":16,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"2242","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":69,"rule_title":"CIS-CAT 1","notchecked":2,"score":13,"pass":26,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":13,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"2825","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":82,"rule_title":"CIS-CAT 5","notchecked":2,"score":1,"pass":57,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"1063","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":50,"rule_title":"CIS-CAT 5","notchecked":3,"score":100,"pass":25,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"5674","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 1","notchecked":0,"score":72,"pass":47,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"4083","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 6","notchecked":5,"score":89,"pass":21,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":53,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"4934","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 5","notchecked":1,"score":64,"pass":57,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"3512","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 4","notchecked":0,"score":51,"pass":28,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"5946","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":17,"rule_title":"CIS-CAT 1","notchecked":1,"score":91,"pass":25,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"4833","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":92,"rule_title":"CIS-CAT 2","notchecked":0,"score":22,"pass":7,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"4760","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":73,"rule_title":"CIS-CAT 1","notchecked":3,"score":11,"pass":77,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"2003","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":61,"rule_title":"CIS-CAT 2","notchecked":0,"score":37,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":38,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"4291","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 2","notchecked":3,"score":94,"pass":25,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"1893","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":39,"rule_title":"CIS-CAT 3","notchecked":0,"score":24,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"1642","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 6","notchecked":4,"score":11,"pass":34,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"4628","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":8,"rule_title":"CIS-CAT 5","notchecked":1,"score":10,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"4861","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 1","notchecked":1,"score":49,"pass":29,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"4064","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":29,"rule_title":"CIS-CAT 5","notchecked":1,"score":22,"pass":71,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"4086","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":4,"rule_title":"CIS-CAT 6","notchecked":4,"score":62,"pass":71,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"3447","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":94,"rule_title":"CIS-CAT 5","notchecked":5,"score":98,"pass":51,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":44,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"2244","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 6","notchecked":1,"score":41,"pass":1,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"159","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 3","notchecked":3,"score":43,"pass":39,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"2303","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 4","notchecked":3,"score":80,"pass":40,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":31,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 1","id":"5339","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":29,"rule_title":"CIS-CAT 1","notchecked":4,"score":47,"pass":37,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"5917","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 1","notchecked":2,"score":98,"pass":87,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"592","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":100,"rule_title":"CIS-CAT 5","notchecked":4,"score":0,"pass":32,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"2369","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":94,"rule_title":"CIS-CAT 6","notchecked":2,"score":86,"pass":78,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"4560","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":26,"rule_title":"CIS-CAT 3","notchecked":2,"score":17,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"4697","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 6","notchecked":0,"score":51,"pass":7,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"1223","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 6","notchecked":1,"score":81,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"2002","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 2","notchecked":1,"score":89,"pass":18,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"2314","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":34,"rule_title":"CIS-CAT 5","notchecked":4,"score":7,"pass":85,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":19,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"1772","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":37,"rule_title":"CIS-CAT 3","notchecked":5,"score":98,"pass":70,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"224","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 6","notchecked":0,"score":91,"pass":12,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"2270","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":49,"rule_title":"CIS-CAT 3","notchecked":3,"score":99,"pass":31,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"5494","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 6","notchecked":5,"score":76,"pass":1,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":66,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"2681","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 2","notchecked":5,"score":21,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"4671","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":90,"rule_title":"CIS-CAT 2","notchecked":4,"score":79,"pass":75,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 3","id":"25","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 4","notchecked":4,"score":50,"pass":64,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 3","id":"4311","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 2","notchecked":0,"score":79,"pass":91,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"2740","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":77,"rule_title":"CIS-CAT 2","notchecked":4,"score":92,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"3361","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 4","notchecked":3,"score":13,"pass":25,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":44,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"4425","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 1","notchecked":4,"score":36,"pass":38,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":56,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"5908","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":47,"rule_title":"CIS-CAT 3","notchecked":5,"score":57,"pass":20,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":56,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"3433","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 2","notchecked":0,"score":30,"pass":75,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"3733","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 4","notchecked":3,"score":5,"pass":24,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":80,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"1805","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 3","notchecked":0,"score":43,"pass":49,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"3791","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 4","notchecked":2,"score":17,"pass":92,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":92,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"3226","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":39,"rule_title":"CIS-CAT 4","notchecked":4,"score":31,"pass":11,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"2037","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 3","notchecked":1,"score":88,"pass":88,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"4685","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 5","notchecked":1,"score":48,"pass":43,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":56,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"4331","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 6","notchecked":0,"score":59,"pass":70,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"2571","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 2","notchecked":2,"score":88,"pass":58,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"2665","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":31,"rule_title":"CIS-CAT 6","notchecked":4,"score":62,"pass":92,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"2002","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":29,"rule_title":"CIS-CAT 4","notchecked":1,"score":84,"pass":18,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"3081","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":53,"rule_title":"CIS-CAT 5","notchecked":4,"score":6,"pass":50,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":44,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"3062","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":33,"rule_title":"CIS-CAT 4","notchecked":3,"score":61,"pass":8,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":1,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"1493","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 2","notchecked":5,"score":38,"pass":28,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"3893","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 1","notchecked":2,"score":96,"pass":65,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"4399","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":4,"rule_title":"CIS-CAT 4","notchecked":1,"score":71,"pass":66,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"1375","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 6","notchecked":0,"score":71,"pass":11,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"5126","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":33,"rule_title":"CIS-CAT 1","notchecked":2,"score":100,"pass":65,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"4923","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 4","notchecked":2,"score":76,"pass":27,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"596","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":84,"rule_title":"CIS-CAT 3","notchecked":3,"score":79,"pass":39,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"2316","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":93,"rule_title":"CIS-CAT 4","notchecked":4,"score":22,"pass":90,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"2212","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":29,"rule_title":"CIS-CAT 2","notchecked":4,"score":92,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"908","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 3","notchecked":5,"score":48,"pass":27,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"1056","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":35,"rule_title":"CIS-CAT 1","notchecked":1,"score":34,"pass":81,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"2504","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":69,"rule_title":"CIS-CAT 3","notchecked":2,"score":81,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"842","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":9,"rule_title":"CIS-CAT 2","notchecked":4,"score":75,"pass":8,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":80,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"4150","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 5","notchecked":3,"score":6,"pass":99,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"809","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":35,"rule_title":"CIS-CAT 1","notchecked":2,"score":35,"pass":3,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"4998","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":34,"rule_title":"CIS-CAT 6","notchecked":4,"score":89,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"5865","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 3","notchecked":5,"score":61,"pass":21,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"5080","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":74,"rule_title":"CIS-CAT 4","notchecked":1,"score":78,"pass":71,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"2693","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":43,"rule_title":"CIS-CAT 4","notchecked":3,"score":82,"pass":6,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":92,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"2031","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":54,"rule_title":"CIS-CAT 5","notchecked":1,"score":60,"pass":74,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"3940","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":43,"rule_title":"CIS-CAT 5","notchecked":3,"score":89,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 5","id":"1491","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":97,"rule_title":"CIS-CAT 5","notchecked":3,"score":11,"pass":38,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"1507","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 4","notchecked":2,"score":15,"pass":60,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"3690","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":27,"rule_title":"CIS-CAT 2","notchecked":4,"score":62,"pass":67,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"3537","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 1","notchecked":0,"score":46,"pass":16,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"4934","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":11,"rule_title":"CIS-CAT 4","notchecked":2,"score":32,"pass":69,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"5865","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 3","notchecked":5,"score":4,"pass":5,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"4510","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":21,"rule_title":"CIS-CAT 2","notchecked":3,"score":86,"pass":10,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"3322","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":56,"rule_title":"CIS-CAT 3","notchecked":5,"score":93,"pass":92,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"4352","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 2","notchecked":0,"score":93,"pass":32,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"188","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 2","notchecked":1,"score":44,"pass":98,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"64","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":24,"rule_title":"CIS-CAT 1","notchecked":3,"score":64,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"743","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":28,"rule_title":"CIS-CAT 1","notchecked":2,"score":7,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"2730","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":82,"rule_title":"CIS-CAT 6","notchecked":4,"score":52,"pass":54,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":50,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 4","id":"2776","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":15,"rule_title":"CIS-CAT 6","notchecked":3,"score":82,"pass":7,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":82,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"1753","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 5","notchecked":0,"score":82,"pass":54,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"4186","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":8,"rule_title":"CIS-CAT 5","notchecked":4,"score":88,"pass":22,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"3967","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":77,"rule_title":"CIS-CAT 6","notchecked":5,"score":78,"pass":27,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"1773","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":92,"rule_title":"CIS-CAT 3","notchecked":4,"score":29,"pass":52,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":30,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"4199","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 3","notchecked":3,"score":51,"pass":94,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"4629","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 6","notchecked":2,"score":95,"pass":38,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 2","id":"41","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 1","notchecked":4,"score":5,"pass":47,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"5843","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 4","notchecked":2,"score":61,"pass":72,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"243","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 6","notchecked":1,"score":0,"pass":95,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"5322","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 3","notchecked":3,"score":1,"pass":15,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"2331","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 2","notchecked":0,"score":34,"pass":93,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 2","id":"3190","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 5","notchecked":0,"score":89,"pass":32,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":56,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"5503","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":72,"rule_title":"CIS-CAT 3","notchecked":5,"score":58,"pass":9,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"62","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 2","notchecked":0,"score":45,"pass":67,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"4457","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":74,"rule_title":"CIS-CAT 2","notchecked":4,"score":68,"pass":75,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"291","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 4","notchecked":1,"score":70,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"2006","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 4","notchecked":5,"score":84,"pass":1,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 1","id":"1257","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 2","notchecked":4,"score":55,"pass":12,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"1007","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":31,"rule_title":"CIS-CAT 3","notchecked":3,"score":25,"pass":60,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"5287","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 4","notchecked":5,"score":41,"pass":87,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"5886","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":64,"rule_title":"CIS-CAT 5","notchecked":2,"score":33,"pass":55,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"3014","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":25,"rule_title":"CIS-CAT 6","notchecked":2,"score":92,"pass":10,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"475","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 4","notchecked":5,"score":33,"pass":54,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"561","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 1","notchecked":2,"score":100,"pass":31,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"5665","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":69,"rule_title":"CIS-CAT 5","notchecked":4,"score":60,"pass":21,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"4446","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 6","notchecked":0,"score":89,"pass":34,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"187","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":59,"rule_title":"CIS-CAT 4","notchecked":1,"score":28,"pass":38,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 2","id":"3390","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 1","notchecked":4,"score":42,"pass":2,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"4063","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":61,"rule_title":"CIS-CAT 6","notchecked":2,"score":10,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"1474","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 4","notchecked":4,"score":46,"pass":52,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 3","id":"3407","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":64,"rule_title":"CIS-CAT 4","notchecked":0,"score":9,"pass":62,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"3276","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":82,"rule_title":"CIS-CAT 3","notchecked":3,"score":95,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"3058","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":69,"rule_title":"CIS-CAT 6","notchecked":5,"score":22,"pass":90,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"4552","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 6","notchecked":2,"score":61,"pass":26,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"701","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":14,"rule_title":"CIS-CAT 4","notchecked":4,"score":31,"pass":77,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"3279","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 5","notchecked":1,"score":23,"pass":9,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"2891","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":37,"rule_title":"CIS-CAT 5","notchecked":0,"score":13,"pass":17,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"385","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 5","notchecked":2,"score":62,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"5952","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 5","notchecked":5,"score":30,"pass":40,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"3356","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 6","notchecked":3,"score":16,"pass":11,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"5404","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 6","notchecked":0,"score":26,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"2348","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":4,"score":35,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 1","id":"3234","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":88,"rule_title":"CIS-CAT 1","notchecked":2,"score":42,"pass":4,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 5","id":"3466","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 6","notchecked":3,"score":81,"pass":21,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"645","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":52,"rule_title":"CIS-CAT 2","notchecked":3,"score":80,"pass":76,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"1645","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 4","notchecked":5,"score":87,"pass":89,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"5749","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 5","notchecked":5,"score":71,"pass":85,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"85","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":6,"rule_title":"CIS-CAT 6","notchecked":3,"score":75,"pass":59,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"4947","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":94,"rule_title":"CIS-CAT 5","notchecked":2,"score":1,"pass":89,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"4349","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 3","notchecked":1,"score":96,"pass":68,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"3832","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":98,"rule_title":"CIS-CAT 4","notchecked":3,"score":94,"pass":29,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"5092","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":64,"rule_title":"CIS-CAT 5","notchecked":3,"score":21,"pass":6,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"902","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 6","notchecked":5,"score":4,"pass":31,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"2182","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 4","notchecked":2,"score":53,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"1354","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 1","notchecked":0,"score":55,"pass":1,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"4602","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":40,"rule_title":"CIS-CAT 3","notchecked":3,"score":2,"pass":5,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"3760","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":5,"score":91,"pass":56,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"375","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":52,"rule_title":"CIS-CAT 4","notchecked":3,"score":53,"pass":76,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":56,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"2130","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":77,"rule_title":"CIS-CAT 5","notchecked":3,"score":78,"pass":91,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"2482","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":50,"rule_title":"CIS-CAT 6","notchecked":5,"score":15,"pass":76,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 1","id":"5199","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":47,"rule_title":"CIS-CAT 2","notchecked":3,"score":71,"pass":72,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"1968","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":42,"rule_title":"CIS-CAT 1","notchecked":1,"score":71,"pass":34,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"1180","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 3","notchecked":2,"score":54,"pass":90,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":71,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"4633","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":63,"rule_title":"CIS-CAT 1","notchecked":2,"score":39,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"171","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":51,"rule_title":"CIS-CAT 3","notchecked":4,"score":23,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"2320","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 5","notchecked":4,"score":16,"pass":52,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"4598","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 6","notchecked":1,"score":14,"pass":11,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"4044","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 6","notchecked":3,"score":23,"pass":6,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"3932","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 2","notchecked":4,"score":72,"pass":39,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"1379","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 5","notchecked":2,"score":5,"pass":86,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"4454","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 6","notchecked":4,"score":3,"pass":19,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 2","id":"3476","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 3","notchecked":0,"score":62,"pass":70,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"1453","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 4","notchecked":3,"score":84,"pass":19,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"1418","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 3","notchecked":2,"score":74,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"2726","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 3","notchecked":4,"score":1,"pass":66,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"4746","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 2","notchecked":1,"score":55,"pass":84,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"457","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 1","notchecked":5,"score":42,"pass":85,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"3248","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":79,"rule_title":"CIS-CAT 3","notchecked":2,"score":82,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"5382","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 4","notchecked":4,"score":31,"pass":12,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"4840","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 3","notchecked":2,"score":58,"pass":29,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"4569","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 6","notchecked":1,"score":79,"pass":1,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"809","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 1","notchecked":3,"score":76,"pass":13,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"2098","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":41,"pass":66,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"2011","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 1","notchecked":4,"score":59,"pass":67,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 5","id":"4506","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 4","notchecked":1,"score":99,"pass":38,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"1888","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 4","notchecked":2,"score":87,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"1059","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":3,"score":98,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":58,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"531","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 6","notchecked":3,"score":8,"pass":97,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 1","id":"986","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":4,"score":51,"pass":96,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"3810","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 1","notchecked":3,"score":84,"pass":91,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"3495","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":74,"rule_title":"CIS-CAT 6","notchecked":0,"score":34,"pass":53,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 1","id":"116","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 4","notchecked":1,"score":46,"pass":28,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 3","id":"3857","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 3","notchecked":0,"score":7,"pass":27,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"86","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":1,"score":30,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"730","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 5","notchecked":1,"score":60,"pass":75,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"5482","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":60,"pass":93,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"5587","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 3","notchecked":5,"score":7,"pass":48,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"2761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":92,"rule_title":"CIS-CAT 3","notchecked":3,"score":25,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"3750","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 6","notchecked":4,"score":44,"pass":73,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"4685","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":3,"score":32,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"1858","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":40,"rule_title":"CIS-CAT 4","notchecked":0,"score":98,"pass":12,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"1740","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 5","notchecked":1,"score":79,"pass":52,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":61,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"4761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 1","notchecked":2,"score":8,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"3621","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 2","notchecked":5,"score":76,"pass":86,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"5004","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 5","notchecked":0,"score":45,"pass":34,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"3909","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":91,"rule_title":"CIS-CAT 5","notchecked":3,"score":12,"pass":45,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"940","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 4","notchecked":1,"score":20,"pass":49,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"5026","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 6","notchecked":1,"score":5,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"2301","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 1","notchecked":5,"score":89,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"4721","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 1","notchecked":0,"score":13,"pass":59,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"939","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 1","notchecked":5,"score":5,"pass":76,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"3683","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 1","notchecked":1,"score":32,"pass":77,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 4","id":"4425","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 5","notchecked":5,"score":68,"pass":60,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"4845","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 4","notchecked":1,"score":31,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"4602","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 2","notchecked":3,"score":17,"pass":25,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 2","id":"5863","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 6","notchecked":3,"score":2,"pass":44,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"3899","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 2","notchecked":1,"score":68,"pass":60,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"5802","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 4","notchecked":3,"score":8,"pass":76,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"2553","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":31,"rule_title":"CIS-CAT 5","notchecked":1,"score":71,"pass":74,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 3","id":"5515","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 1","notchecked":4,"score":91,"pass":21,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"3519","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 6","notchecked":2,"score":62,"pass":79,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"4891","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 3","notchecked":3,"score":9,"pass":41,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"4265","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 2","notchecked":3,"score":48,"pass":12,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"5205","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":98,"rule_title":"CIS-CAT 6","notchecked":1,"score":97,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"507","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 5","notchecked":0,"score":0,"pass":14,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"3796","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":7,"rule_title":"CIS-CAT 6","notchecked":5,"score":18,"pass":11,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 4","id":"5794","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 5","notchecked":3,"score":60,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"188","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 4","notchecked":0,"score":2,"pass":92,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"2333","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 3","notchecked":0,"score":49,"pass":25,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"2835","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":1,"score":53,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"5915","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 1","notchecked":2,"score":36,"pass":38,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"5311","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":58,"rule_title":"CIS-CAT 3","notchecked":4,"score":29,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"4972","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 3","notchecked":3,"score":27,"pass":23,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"3913","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 6","notchecked":2,"score":22,"pass":77,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"3530","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 1","notchecked":0,"score":22,"pass":64,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"434","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 1","notchecked":2,"score":65,"pass":55,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"684","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 2","notchecked":0,"score":11,"pass":26,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"2819","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 1","notchecked":1,"score":49,"pass":13,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"702","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 4","notchecked":5,"score":37,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"1839","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":2,"score":2,"pass":1,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"1899","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 2","notchecked":1,"score":20,"pass":59,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"2808","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 2","notchecked":5,"score":46,"pass":31,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"2840","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 5","notchecked":3,"score":34,"pass":35,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"5978","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":38,"rule_title":"CIS-CAT 1","notchecked":5,"score":58,"pass":71,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"3237","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 5","notchecked":1,"score":66,"pass":52,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"2993","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":52,"rule_title":"CIS-CAT 1","notchecked":2,"score":25,"pass":68,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"2141","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 5","notchecked":4,"score":95,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"5805","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 1","notchecked":4,"score":44,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"5561","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 3","notchecked":4,"score":85,"pass":28,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"2087","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 6","notchecked":4,"score":54,"pass":58,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"3402","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":11,"rule_title":"CIS-CAT 5","notchecked":5,"score":64,"pass":20,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"5032","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":37,"rule_title":"CIS-CAT 4","notchecked":4,"score":0,"pass":11,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"2352","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 3","notchecked":3,"score":65,"pass":74,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 4","id":"5484","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 5","notchecked":3,"score":65,"pass":26,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":79,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"4635","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 2","notchecked":5,"score":58,"pass":8,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 4","id":"426","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":62,"rule_title":"CIS-CAT 3","notchecked":5,"score":23,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"1567","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":26,"rule_title":"CIS-CAT 6","notchecked":4,"score":29,"pass":54,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"3333","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 2","notchecked":0,"score":51,"pass":2,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"3284","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 5","notchecked":4,"score":18,"pass":87,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"2626","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 1","notchecked":4,"score":53,"pass":62,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"422","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 6","notchecked":4,"score":99,"pass":82,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"112","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 4","notchecked":2,"score":16,"pass":92,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"5565","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":91,"rule_title":"CIS-CAT 6","notchecked":2,"score":33,"pass":77,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"2565","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":26,"rule_title":"CIS-CAT 4","notchecked":0,"score":96,"pass":30,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"3334","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 1","notchecked":5,"score":98,"pass":34,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"5080","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 4","notchecked":3,"score":83,"pass":52,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"2309","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 4","notchecked":3,"score":31,"pass":52,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"4820","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 6","notchecked":2,"score":0,"pass":7,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"5126","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 2","notchecked":1,"score":19,"pass":83,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"5305","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":20,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 2","id":"925","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":43,"rule_title":"CIS-CAT 6","notchecked":1,"score":75,"pass":28,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"277","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":86,"rule_title":"CIS-CAT 3","notchecked":5,"score":84,"pass":54,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"77","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 2","notchecked":1,"score":46,"pass":37,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"1151","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 3","notchecked":3,"score":13,"pass":42,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 2","id":"3752","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 4","notchecked":3,"score":54,"pass":20,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"2291","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 5","notchecked":1,"score":95,"pass":68,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"2466","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":89,"rule_title":"CIS-CAT 6","notchecked":0,"score":42,"pass":25,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"598","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 2","notchecked":2,"score":32,"pass":64,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"4816","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 6","notchecked":2,"score":11,"pass":98,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"3079","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 5","notchecked":1,"score":57,"pass":35,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 5","id":"4497","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":17,"rule_title":"CIS-CAT 4","notchecked":4,"score":84,"pass":31,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"5071","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":77,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 5","id":"2703","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":90,"rule_title":"CIS-CAT 5","notchecked":3,"score":73,"pass":6,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 4","id":"801","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":76,"rule_title":"CIS-CAT 5","notchecked":3,"score":39,"pass":37,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"3340","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":14,"rule_title":"CIS-CAT 6","notchecked":4,"score":72,"pass":76,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"4121","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":60,"rule_title":"CIS-CAT 4","notchecked":3,"score":75,"pass":58,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 2","id":"4197","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":92,"rule_title":"CIS-CAT 1","notchecked":5,"score":9,"pass":29,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 1","id":"280","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":45,"rule_title":"CIS-CAT 2","notchecked":4,"score":90,"pass":40,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"4043","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 3","notchecked":2,"score":44,"pass":56,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"2156","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":69,"rule_title":"CIS-CAT 5","notchecked":4,"score":44,"pass":20,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"4425","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 2","notchecked":1,"score":18,"pass":78,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":71,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 2","id":"4692","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":82,"rule_title":"CIS-CAT 4","notchecked":0,"score":67,"pass":5,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"581","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":16,"rule_title":"CIS-CAT 3","notchecked":3,"score":96,"pass":47,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":19,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"456","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 2","notchecked":2,"score":57,"pass":63,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 1","id":"3696","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 1","notchecked":1,"score":22,"pass":49,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"2547","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 2","notchecked":0,"score":51,"pass":96,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"691","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":40,"rule_title":"CIS-CAT 2","notchecked":4,"score":12,"pass":12,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"1710","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":17,"rule_title":"CIS-CAT 1","notchecked":4,"score":34,"pass":71,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"1652","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 6","notchecked":3,"score":47,"pass":8,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"1244","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 2","notchecked":4,"score":38,"pass":17,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":71,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"754","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 3","notchecked":0,"score":86,"pass":29,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"2745","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":63,"rule_title":"CIS-CAT 5","notchecked":2,"score":65,"pass":48,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 5","id":"2108","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":43,"rule_title":"CIS-CAT 3","notchecked":3,"score":22,"pass":16,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":39,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 5","id":"5870","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 3","notchecked":4,"score":76,"pass":94,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"4605","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 1","notchecked":1,"score":71,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"4597","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 1","notchecked":2,"score":19,"pass":76,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 1","id":"1917","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":53,"rule_title":"CIS-CAT 6","notchecked":0,"score":90,"pass":66,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"2083","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 2","notchecked":0,"score":12,"pass":45,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"351","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 6","notchecked":1,"score":17,"pass":4,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"2704","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 6","notchecked":2,"score":26,"pass":89,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"1380","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":16,"rule_title":"CIS-CAT 4","notchecked":1,"score":98,"pass":55,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"1903","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":45,"rule_title":"CIS-CAT 4","notchecked":0,"score":33,"pass":48,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"4709","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 5","notchecked":3,"score":73,"pass":56,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"4285","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":15,"rule_title":"CIS-CAT 2","notchecked":3,"score":94,"pass":81,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 1","id":"5279","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":77,"rule_title":"CIS-CAT 5","notchecked":5,"score":10,"pass":49,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 5","id":"4458","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":44,"rule_title":"CIS-CAT 5","notchecked":4,"score":22,"pass":38,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":87,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 1","id":"1029","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":93,"rule_title":"CIS-CAT 5","notchecked":4,"score":34,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 2","id":"2795","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":56,"rule_title":"CIS-CAT 6","notchecked":2,"score":23,"pass":61,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"4440","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":6,"rule_title":"CIS-CAT 1","notchecked":4,"score":67,"pass":81,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 3","id":"3228","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":45,"rule_title":"CIS-CAT 1","notchecked":2,"score":41,"pass":66,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":13,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"3169","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":34,"rule_title":"CIS-CAT 1","notchecked":2,"score":61,"pass":13,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 1","id":"2543","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":7,"rule_title":"CIS-CAT 1","notchecked":1,"score":20,"pass":24,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 3","id":"4941","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 4","notchecked":0,"score":25,"pass":42,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"258","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":14,"rule_title":"CIS-CAT 5","notchecked":1,"score":54,"pass":40,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 5","id":"541","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 2","notchecked":4,"score":97,"pass":21,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":29,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 2","id":"869","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":11,"rule_title":"CIS-CAT 2","notchecked":3,"score":7,"pass":0,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":100,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 1","id":"543","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 5","notchecked":3,"score":88,"pass":0,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 5","id":"2860","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":77,"rule_title":"CIS-CAT 5","notchecked":2,"score":94,"pass":64,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 5","id":"4189","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 6","notchecked":2,"score":32,"pass":70,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"4114","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":32,"rule_title":"CIS-CAT 5","notchecked":5,"score":18,"pass":14,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":0,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 1","id":"1370","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":75,"rule_title":"CIS-CAT 2","notchecked":4,"score":67,"pass":92,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":81,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"1690","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":83,"rule_title":"CIS-CAT 4","notchecked":1,"score":66,"pass":0,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"2252","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":1,"rule_title":"CIS-CAT 1","notchecked":3,"score":18,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 5","id":"4693","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":84,"rule_title":"CIS-CAT 3","notchecked":2,"score":85,"pass":96,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"2741","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 5","notchecked":5,"score":64,"pass":23,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 4","id":"5958","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":82,"rule_title":"CIS-CAT 2","notchecked":0,"score":62,"pass":1,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"289","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 3","notchecked":5,"score":58,"pass":13,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 5","id":"597","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 3","notchecked":5,"score":60,"pass":46,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"2658","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":81,"rule_title":"CIS-CAT 3","notchecked":2,"score":79,"pass":100,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":2,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"5988","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":61,"rule_title":"CIS-CAT 4","notchecked":2,"score":40,"pass":14,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 5","id":"996","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":37,"rule_title":"CIS-CAT 4","notchecked":3,"score":95,"pass":24,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"3370","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 5","notchecked":3,"score":97,"pass":48,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 5","id":"2771","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":61,"rule_title":"CIS-CAT 5","notchecked":5,"score":72,"pass":70,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"1280","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":29,"rule_title":"CIS-CAT 2","notchecked":1,"score":15,"pass":35,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":94,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 5","id":"1928","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 1","notchecked":1,"score":91,"pass":95,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 3","id":"4250","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 2","notchecked":1,"score":88,"pass":90,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 4","id":"1823","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":89,"rule_title":"CIS-CAT 2","notchecked":2,"score":41,"pass":33,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"482","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":40,"rule_title":"CIS-CAT 4","notchecked":4,"score":12,"pass":29,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 2","id":"3629","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 5","notchecked":5,"score":46,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":25,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 3","id":"689","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 4","notchecked":4,"score":69,"pass":75,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":13,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"3427","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":10,"rule_title":"CIS-CAT 1","notchecked":0,"score":39,"pass":84,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 4","id":"4836","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 6","notchecked":4,"score":78,"pass":63,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"1223","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":76,"rule_title":"CIS-CAT 4","notchecked":0,"score":68,"pass":24,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"3117","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":91,"rule_title":"CIS-CAT 3","notchecked":1,"score":77,"pass":66,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":1,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"2123","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":22,"rule_title":"CIS-CAT 5","notchecked":0,"score":35,"pass":34,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 3","id":"2325","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 3","notchecked":1,"score":55,"pass":82,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 1","id":"3253","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 3","notchecked":5,"score":9,"pass":52,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"1286","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":63,"rule_title":"CIS-CAT 4","notchecked":4,"score":26,"pass":36,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":26,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 4","id":"380","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":33,"rule_title":"CIS-CAT 2","notchecked":5,"score":0,"pass":34,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":93,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"5766","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":24,"rule_title":"CIS-CAT 2","notchecked":0,"score":65,"pass":81,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Sample alert 3","id":"257","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 3","notchecked":4,"score":98,"pass":43,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 3","id":"1235","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":31,"rule_title":"CIS-CAT 4","notchecked":1,"score":81,"pass":74,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 2","id":"4729","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":35,"rule_title":"CIS-CAT 1","notchecked":2,"score":8,"pass":78,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"Sample alert 4","id":"2701","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":3,"rule_title":"CIS-CAT 6","notchecked":4,"score":20,"pass":37,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":22,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"1088","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 5","notchecked":1,"score":73,"pass":42,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 1","id":"223","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":44,"rule_title":"CIS-CAT 2","notchecked":1,"score":75,"pass":84,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"Sample alert 2","id":"2035","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":5,"rule_title":"CIS-CAT 1","notchecked":1,"score":41,"pass":16,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 3","id":"448","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":11,"rule_title":"CIS-CAT 6","notchecked":1,"score":50,"pass":47,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":71,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 2","id":"998","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":25,"rule_title":"CIS-CAT 6","notchecked":3,"score":88,"pass":61,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 2","id":"3850","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 5","notchecked":5,"score":49,"pass":42,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"Sample alert 4","id":"2932","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 5","notchecked":3,"score":56,"pass":38,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"Sample alert 5","id":"2151","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 3","notchecked":1,"score":84,"pass":82,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"Sample alert 3","id":"612","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 2","notchecked":0,"score":88,"pass":57,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"935","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 5","notchecked":0,"score":11,"pass":7,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":31,"result":"unknown"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 3","id":"5939","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":28,"rule_title":"CIS-CAT 1","notchecked":3,"score":6,"pass":41,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"Sample alert 2","id":"634","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":8,"rule_title":"CIS-CAT 4","notchecked":4,"score":61,"pass":66,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"fail"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"Sample alert 3","id":"2211","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":47,"rule_title":"CIS-CAT 2","notchecked":0,"score":4,"pass":19,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"Sample alert 5","id":"2110","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":56,"rule_title":"CIS-CAT 2","notchecked":2,"score":16,"pass":29,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"Sample alert 4","id":"3625","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":38,"rule_title":"CIS-CAT 5","notchecked":1,"score":37,"pass":44,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":51,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"Sample alert 4","id":"1528","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":35,"rule_title":"CIS-CAT 3","notchecked":5,"score":50,"pass":43,"timestamp":"dateToChangerror":0,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":59,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 1","id":"2470","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":63,"rule_title":"CIS-CAT 6","notchecked":5,"score":2,"pass":0,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"notchecked"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"Sample alert 4","id":"4708","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 5","notchecked":1,"score":78,"pass":36,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"Sample alert 3","id":"3952","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 6","notchecked":3,"score":89,"pass":22,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"errors"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"Sample alert 4","id":"2375","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 5","notchecked":1,"score":36,"pass":8,"timestamp":"dateToChangerror":1,"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"pass"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2","id":"23504","firedtimes":190,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7944 affects libxfixes3","id":"23506","firedtimes":82,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxfixes3","source":"libxfixes","version":"1:5.0.1-2","architecture":"amd64","condition":"Package less or equal than 5.0.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7944","title":"CVE-2016-7944 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840442"],"references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93361","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CE6VJWBMOWLSCH4OP4TAEPIA7NP53ON/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GE43MDCRGS4R7MRRZNVSLREHRLU5OHCV/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7944","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7944.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-18276 affects bash","id":"23505","firedtimes":158,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"bash","version":"4.3-14ubuntu1.4","architecture":"amd64","condition":"Package less or equal than 5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"}},"cve":"CVE-2019-18276","title":"CVE-2019-18276 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.","severity":"High","published":"2019-11-28","updated":"2020-04-30","state":"Fixed","cwe_reference":"CWE-273","bugzilla_references":["https://bugzilla.suse.com/show_bug.cgi?id=1158028"],"references":["http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html","https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff","https://security.netapp.com/advisory/ntap-20200430-0003/","https://www.youtube.com/watch?v=-wGtxJ8opa8","https://nvd.nist.gov/vuln/detail/CVE-2019-18276","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-data","id":"23504","firedtimes":192,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-data","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-14855 affects dirmngr","id":"23504","firedtimes":382,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"dirmngr","source":"gnupg2","version":"2.1.11-6ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-14855","title":"CVE-2019-14855 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.","severity":"Medium","published":"2020-03-20","updated":"2020-03-24","state":"Unfixed","cwe_reference":"CWE-327","bugzilla_references":["https://dev.gnupg.org/T4755"],"references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855","https://dev.gnupg.org/T4755","https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html","https://rwc.iacr.org/2020/slides/Leurent.pdf","https://nvd.nist.gov/vuln/detail/CVE-2019-14855","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14855.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855","https://eprint.iacr.org/2020/014.pdf"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2016-7947 affects libxrandr2","id":"23506","firedtimes":83,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7947","title":"CVE-2016-7947 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93365","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7947","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-4484 affects cryptsetup","id":"23504","firedtimes":290,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"cryptsetup","version":"2:1.6.6-5ubuntu2.1","architecture":"amd64","condition":"Package less or equal than 2.1.7.3-2"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.800000"}},"cve":"CVE-2016-4484","title":"CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.","severity":"Medium","published":"2017-01-23","updated":"2017-01-26","state":"Fixed","cwe_reference":"CWE-287","bugzilla_references":["https://launchpad.net/bugs/1660701"],"references":["http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html","http://www.openwall.com/lists/oss-security/2016/11/14/13","http://www.openwall.com/lists/oss-security/2016/11/15/1","http://www.openwall.com/lists/oss-security/2016/11/15/4","http://www.openwall.com/lists/oss-security/2016/11/16/6","http://www.securityfocus.com/bid/94315","https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb","https://nvd.nist.gov/vuln/detail/CVE-2016-4484","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2016-5011 affects uuid-runtime","id":"23504","firedtimes":395,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"complete"},"base_score":"4.700000"},"cvss3":{"vector":{"attack_vector":"physical","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.300000"}},"cve":"CVE-2016-5011","title":"CVE-2016-5011 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.","severity":"Medium","published":"2017-04-11","updated":"2017-04-17","state":"Unfixed","cwe_reference":"CWE-399","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830802","https://bugzilla.redhat.com/show_bug.cgi?id=1349536"],"references":["http://rhn.redhat.com/errata/RHSA-2016-2605.html","http://www.openwall.com/lists/oss-security/2016/07/11/2","http://www.securityfocus.com/bid/91683","http://www.securitytracker.com/id/1036272","http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543","http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801","https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3","https://nvd.nist.gov/vuln/detail/CVE-2016-5011","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5011.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17543 affects liblz4-1","id":"23504","firedtimes":244,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"liblz4-1","source":"lz4","version":"0.0~r131-2ubuntu2","architecture":"amd64","condition":"Package less than 1.9.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17543","title":"CVE-2019-17543 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"","severity":"Medium","published":"2019-10-14","updated":"2019-10-24","state":"Fixed","cwe_reference":"CWE-120","bugzilla_references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941","https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2","https://github.com/lz4/lz4/issues/801","https://github.com/lz4/lz4/pull/756","https://github.com/lz4/lz4/pull/760","https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E","https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2019-17543","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17543.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-18684 affects sudo","id":"23504","firedtimes":87,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.21p2-3ubuntu1.2","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"6.900000"}},"cve":"CVE-2019-18684","title":"** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers.","severity":"Medium","published":"2019-11-04","updated":"2019-11-08","state":"Fixed","cwe_reference":"CWE-362","references":["https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd","https://nvd.nist.gov/vuln/detail/CVE-2019-18684"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15994 affects rsync","id":"23506","firedtimes":66,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsync","version":"3.1.1-3ubuntu1.3","architecture":"amd64","condition":"Package less or equal than 3.1.2"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15994","title":"rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.","severity":"Critical","published":"2017-10-29","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-354","references":["https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3","https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55","https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b","https://nvd.nist.gov/vuln/detail/CVE-2017-15994"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-1003010 affects git","id":"23504","firedtimes":162,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"git","version":"1:2.17.1-1ubuntu0.7","architecture":"amd64","condition":"Package less or equal than 3.9.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"4.300000"}},"cve":"CVE-2019-1003010","title":"A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.","severity":"Medium","published":"2019-02-06","updated":"2019-04-26","state":"Fixed","cwe_reference":"CWE-352","references":["https://access.redhat.com/errata/RHBA-2019:0326","https://access.redhat.com/errata/RHBA-2019:0327","https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-14036 affects accountsservice","id":"23504","firedtimes":256,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"accountsservice","version":"0.6.40-2ubuntu11.3","architecture":"amd64","condition":"Package less than 0.6.50"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"single","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"4"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"6.500000"}},"cve":"CVE-2018-14036","title":"CVE-2018-14036 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","severity":"Medium","published":"2018-07-13","updated":"2018-09-06","state":"Fixed","cwe_reference":"CWE-22","bugzilla_references":["https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699"],"references":["http://www.openwall.com/lists/oss-security/2018/07/02/2","http://www.securityfocus.com/bid/104757","https://bugs.freedesktop.org/show_bug.cgi?id=107085","https://bugzilla.suse.com/show_bug.cgi?id=1099699","https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a","https://nvd.nist.gov/vuln/detail/CVE-2018-14036","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14036.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14036"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"CVE-2020-9366 affects screen","id":"23505","firedtimes":77,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"screen","version":"4.6.2-1ubuntu1","architecture":"amd64","condition":"Package less than 4.8.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2020-9366","title":"A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.","severity":"High","published":"2020-02-24","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-120","references":["http://www.openwall.com/lists/oss-security/2020/02/25/1","https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html","https://security.gentoo.org/glsa/202003-62","https://www.openwall.com/lists/oss-security/2020/02/06/3","https://nvd.nist.gov/vuln/detail/CVE-2020-9366"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2018-8975 affects netpbm","id":"23504","firedtimes":397,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"netpbm","source":"netpbm-free","version":"2:10.0-15.3","architecture":"amd64","condition":"Package less or equal than 10.81.03"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2018-8975","title":"The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.","severity":"Medium","published":"2018-03-25","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-125","references":["http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html","https://github.com/xiaoqx/pocs/blob/master/netpbm","https://nvd.nist.gov/vuln/detail/CVE-2018-8975"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /usr/share/sample/program - 63 engines detected this file","id":"912","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e6a5a45e8e9150dec455378020ba4af95ce4fbf0","file":"/usr/share/sample/program","alert_id":"6697785884.0830978","md5":"9a51ba11f3c46188e324aeaf0db74b7a"},"malicious":0,"positives":"63","total":"063","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-01T23:13:15.604Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"386","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"9897f190663325db61372cf7d407c5e0a3a44588","file":"/tmp/virus/notavirus","alert_id":"3973643369.2378470","md5":"11ec4ed834a5c6c3250d079ce6b9f262"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 61 engines detected this file","id":"4807","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f3524677fd8a74e82f680455db5b84ef865c7910","file":"/etc/data/file","alert_id":"0477146890.8321923","md5":"8990efc7d3c39647a423f617e2991764"},"malicious":0,"positives":"61","total":"061","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T04:21:06.531Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/data/file - 17 engines detected this file","id":"3375","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"64d5dbe77e9cab3256a04f09fe3965bfd48fd792","file":"/etc/data/file","alert_id":"3398514399.5530583","md5":"d5592738fce8834ad1224e61011542c6"},"malicious":1,"positives":"17","total":"117","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-01T23:32:24.097Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /root/super-script - 38 engines detected this file","id":"2002","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"aad9f295cf6eed6df767fc54d79cb2d63637ed39","file":"/root/super-script","alert_id":"8873508441.4494736","md5":"23ff3da3899af17add62bcd9a6068188"},"malicious":0,"positives":"38","total":"038","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T09:57:58.736Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /var/opt/amazing-file - 45 engines detected this file","id":"3522","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9860bbef6eee13d124c8cbb25135c2c730619340","file":"/var/opt/amazing-file","alert_id":"9968418875.3143419","md5":"20d3c4773cfdaaac18d236fc7fd2e44d"},"malicious":1,"positives":"45","total":"145","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-01T13:53:50.072Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"957","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0675c2097eee54be261fd957eb0ed83f672f4c5f","file":"/etc/data/file","alert_id":"8771278774.8366235","md5":"83b278a8da03a648784fd36b22c84fe4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1432","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"34298cf557d5d70912a18c5bf6adf0e2e1df6c08","file":"/etc/data/file","alert_id":"4071943776.1993169","md5":"a791c01191912bff6862042c8ac20b4e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 31 engines detected this file","id":"3907","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"beefa0ab6e9a2803ebaddc3c540403d5c55c27f3","file":"/etc/data/file","alert_id":"1861945633.4733507","md5":"3c3ac84f2e8e893fbfb7befe071baacf"},"malicious":0,"positives":"31","total":"031","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-02T02:10:22.577Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/data/file - 12 engines detected this file","id":"4846","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bd70131660f4b3b7f18f78ab7f8643ed7fbca6d4","file":"/etc/data/file","alert_id":"4332395569.5026416","md5":"e2122f5bca8245114af6afb2d54d92f8"},"malicious":1,"positives":"12","total":"112","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-08T08:52:03.305Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /usr/share/sample/program - 63 engines detected this file","id":"4576","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2cac65430ce84ef7a2d14ebde6987f210049fa0e","file":"/usr/share/sample/program","alert_id":"4305571379.5926056","md5":"c42710d6a1e9c889a2265d611618627e"},"malicious":0,"positives":"63","total":"063","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T18:28:54.568Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 3 engines detected this file","id":"17","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"482ddf9dabf139092fb99b3c16c69159931e1859","file":"/etc/data/file","alert_id":"5189591618.3916479","md5":"f27ae8c963d0baf39cd2bb6cd37efe58"},"malicious":0,"positives":"3","total":"03","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T18:36:04.441Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 35 engines detected this file","id":"323","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a0f8ea4ad0b0b6607d3c2d40564be8b488316caa","file":"/tmp/virus/notavirus","alert_id":"6483667112.1272948","md5":"a535591b4498ec4577f831d271cdd518"},"malicious":1,"positives":"35","total":"135","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-02T23:39:02.160Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /var/opt/amazing-file - 42 engines detected this file","id":"2312","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"53b0f9eb40629028b8d88ae194fba54ca1b7277a","file":"/var/opt/amazing-file","alert_id":"4517264582.1953825","md5":"47313e700b8d95dee18d78e4fab87662"},"malicious":0,"positives":"42","total":"042","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T19:43:56.073Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 25 engines detected this file","id":"4500","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6e7ce703ffc8833e8d721c2191541e46f30487ac","file":"/tmp/virus/notavirus","alert_id":"6812179291.2636274","md5":"4731aacb330d7aad34d3ab82721323ff"},"malicious":0,"positives":"25","total":"025","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T00:34:13.773Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2195","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a95568eb8bfe7746fdbff52cef340e3b941beef6","file":"/usr/share/sample/program","alert_id":"8629985218.2988882","md5":"c5a2255abb4dc3ffc73e54da300dda5b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 23 engines detected this file","id":"3588","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9f94a8269dfbe888ee7cfa4404fadfe3dd6c2bd1","file":"/root/super-script","alert_id":"4129122030.0390257","md5":"fe8717047d998678b9d7679c14dfb19b"},"malicious":1,"positives":"23","total":"123","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T07:36:07.802Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 37 engines detected this file","id":"691","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4040a246e23d1f4490b0459f9cb93c03772a583d","file":"/tmp/virus/notavirus","alert_id":"7982853929.2893832","md5":"8d7065f31a2a2faeeb19ae025dd12d99"},"malicious":0,"positives":"37","total":"037","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-04T15:10:19.501Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 59 engines detected this file","id":"5310","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a01dfee4350f2f63e57f933d82098ae7d5155650","file":"/root/super-script","alert_id":"5892762750.2991380","md5":"02a6896a89a878e3f12db59e74ef0e5f"},"malicious":0,"positives":"59","total":"059","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-03T11:58:57.673Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /root/super-script - 26 engines detected this file","id":"2969","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2f03cd4d0f6ebf31cc9c31d63fba7632c32860b1","file":"/root/super-script","alert_id":"2118651115.7086178","md5":"5cbbc7fa7cc1602825bb9ae987701d63"},"malicious":1,"positives":"26","total":"126","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-03T22:58:20.325Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 51 engines detected this file","id":"1446","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"792f5a44bda1283f0ebd16cba76d6d69912f8267","file":"/etc/data/file","alert_id":"9658734630.6781175","md5":"3c5ff9bbb71115742b5fa5c138295fc0"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-03T16:11:38.364Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3873","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"da60d0270f37e7a27ceb0e7a84d3575ca86e4bcc","file":"/usr/share/sample/program","alert_id":"9643060943.2362991","md5":"358663148fb476c39024ec1bac790ee2"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4397","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"c498908f34f5f565bd88505e1b57943ca7e6ee49","file":"/usr/share/sample/program","alert_id":"2511330569.6237254","md5":"e6c5c818173a46ff8e4b7a4e797d3fe1"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2738","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"5b833e7db2b0a9ef0d06996b43cdc15f93ed45ee","file":"/var/opt/amazing-file","alert_id":"0238177745.7348834","md5":"d4eb3c30df18f5b2b2fac44b774674fb"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 51 engines detected this file","id":"1804","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"572966e26b8d6119fdff254436bf31eefc540893","file":"/etc/data/file","alert_id":"2116273565.8003915","md5":"dc5b9490116e3d90b0453c05b5980472"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-02T04:26:04.355Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /usr/share/sample/program - 18 engines detected this file","id":"4728","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5a3f4fe78becf649ad10e11226a8aefefd1abbf1","file":"/usr/share/sample/program","alert_id":"6924768807.4431033","md5":"e7d34445a7bbb7cb6f1f93408a0d5b4f"},"malicious":0,"positives":"18","total":"018","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T17:33:18.033Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 9 engines detected this file","id":"3490","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5aa7d7ea3d38b492ede4a4a9d7e8181f6dfcb3f0","file":"/root/super-script","alert_id":"2222483390.8857434","md5":"139fab6f0bcef434ab20afafbc5f90c2"},"malicious":1,"positives":"9","total":"19","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T19:35:08.680Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3329","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"e3e08360bf7fc731d174fadbe1959dd8a1bcbf79","file":"/tmp/virus/notavirus","alert_id":"2749479073.3230015","md5":"4e02a00c9d582471adf25e3d6c4698a5"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 17 engines detected this file","id":"831","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5fed38cffd2b909b61b42e09c95ce5022caa1402","file":"/etc/sample/script","alert_id":"5343637340.9932906","md5":"defd9d94d56067f6e019b99d64618ff5"},"malicious":1,"positives":"17","total":"117","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T11:09:55.649Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 41 engines detected this file","id":"814","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f16347485b13715a44097ff69317926fe4aa3c1b","file":"/etc/data/file","alert_id":"0861577729.8000482","md5":"04971bdbd79819e88ba863a4b7f61ada"},"malicious":0,"positives":"41","total":"041","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T10:43:32.571Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /usr/share/sample/program - 57 engines detected this file","id":"3581","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"464e61a8c552446ebe2e9b9d84c4f9cc287d8e35","file":"/usr/share/sample/program","alert_id":"8241424654.9593968","md5":"38b19acde75ab8c3bf3de39f6523eff9"},"malicious":0,"positives":"57","total":"057","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T09:15:57.132Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5326","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b897c92f78cf050d35353c917286a12a7c95110d","file":"/etc/sample/script","alert_id":"8409556898.9306859","md5":"eec943687da939908d71f2ce4c0fdf31"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /usr/share/sample/program - 53 engines detected this file","id":"2299","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"28b3c8d0ffd42b9623bac855d9ea4a5f3deac6ac","file":"/usr/share/sample/program","alert_id":"8728929336.8105985","md5":"943674fcd9d9dd8b6c79b5743a57d1cd"},"malicious":1,"positives":"53","total":"153","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-06T08:37:10.424Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 15 engines detected this file","id":"130","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"837febaa7c53d94028f2b47aee586cf6f956261d","file":"/tmp/virus/notavirus","alert_id":"0735326691.4230290","md5":"81a980afd87140703628bbe47e5efc4d"},"malicious":1,"positives":"15","total":"115","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T03:41:55.302Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 40 engines detected this file","id":"5653","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9d80329364c99a66aec46bdd7c47910ba839c740","file":"/tmp/virus/notavirus","alert_id":"6603747654.0899815","md5":"16e600e5557216459140d8cf01c8a96e"},"malicious":0,"positives":"40","total":"040","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-08T09:43:26.329Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 1 engines detected this file","id":"61","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6f494486ca022eb68d3b4ab766d3515c4b575b23","file":"/var/opt/amazing-file","alert_id":"1722971228.4176952","md5":"34d7a900216a4567f5bf1cce743a1d77"},"malicious":0,"positives":"1","total":"01","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T02:33:26.715Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 1 engines detected this file","id":"1780","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"80b8fcbb64133bc2a2c54c7273cfb4018c743990","file":"/etc/data/file","alert_id":"4781898973.6662604","md5":"f187eb619879e1132a8696c69bb517eb"},"malicious":0,"positives":"1","total":"01","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T23:40:12.714Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /usr/share/sample/program - 33 engines detected this file","id":"3903","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"42aeb26bc0bee3331c43c76b6014664a6c4317bc","file":"/usr/share/sample/program","alert_id":"2879946641.7004514","md5":"02b3cd2d0ebc2aecef9e857e0b5d25d5"},"malicious":0,"positives":"33","total":"033","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T15:01:45.896Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 47 engines detected this file","id":"1982","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dcd877dd971bf0d56b2136f38f339e030e923e50","file":"/root/super-script","alert_id":"6301668569.0723025","md5":"1d13efcae5867f04339fb9fc52ee45f5"},"malicious":1,"positives":"47","total":"147","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T22:47:24.371Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 1 engines detected this file","id":"2967","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5e9ff39fc162893d8d3830147b17c3daf69624ad","file":"/var/opt/amazing-file","alert_id":"7166976887.2875633","md5":"25a7ff0ed53e1f1a2f45c5f74f835fb7"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T03:54:23.818Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 40 engines detected this file","id":"1375","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4fd73e2498d633fa1d1b8a9a8927f7ee7bf145a4","file":"/tmp/virus/notavirus","alert_id":"6193701952.0989621","md5":"e05b048e30f4903b04a74b658259955c"},"malicious":0,"positives":"40","total":"040","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T18:24:08.499Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 35 engines detected this file","id":"2712","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"945309ef0fb481f435628ecefc20513857a9af00","file":"/etc/sample/script","alert_id":"8056634719.6988115","md5":"f28600343ddf09a1054b4fe9c941c063"},"malicious":1,"positives":"35","total":"135","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-08T05:16:16.317Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2330","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b4eea916f98b77f288a619c64644fbf97e1b1e91","file":"/usr/share/sample/program","alert_id":"7892655919.8266316","md5":"f6b2d5c50ec7a345589d400deaf566c4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 56 engines detected this file","id":"4163","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"67cbe23d0f8d14a953092bf9dc96265acc3b8376","file":"/tmp/virus/notavirus","alert_id":"3001220592.3432937","md5":"3e5574db41c6851c196401114e0644e4"},"malicious":0,"positives":"56","total":"056","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T20:29:41.104Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 18 engines detected this file","id":"1747","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"48e86bfe68cb09618291443150826ea84b1a0a9e","file":"/etc/data/file","alert_id":"7340713557.0260568","md5":"aaaa101ec91727026f94bd2dbdf97ede"},"malicious":0,"positives":"18","total":"018","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T20:37:36.074Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 28 engines detected this file","id":"1241","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6433d5c562792942289d3ea48086f5213bf2d449","file":"/etc/data/file","alert_id":"0650616039.0159918","md5":"11e6f4c3694d23574a26572caef728b0"},"malicious":1,"positives":"28","total":"128","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T08:30:59.492Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3035","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2ef5fb14a2f77f163377a0b66b267171417165ec","file":"/etc/data/file","alert_id":"2393733054.9130380","md5":"fd73eac3fad8398da1c359269a2a7eab"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 34 engines detected this file","id":"3535","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4c7c22cf728b7e95ee41682566fdae990c96a2ff","file":"/usr/share/sample/program","alert_id":"1319744010.7945537","md5":"11ddd2ba2f03606eb1639968fda11dfa"},"malicious":0,"positives":"34","total":"034","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T20:24:51.356Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /var/opt/amazing-file - 55 engines detected this file","id":"483","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c61905cb6611779dbe6ab5c2bed53801c81d8c3d","file":"/var/opt/amazing-file","alert_id":"5160106820.2772288","md5":"dd04bdd970212734e45d1aa4d5279b0d"},"malicious":1,"positives":"55","total":"155","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T08:58:29.496Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 38 engines detected this file","id":"3447","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c1d675d1db9d92590984f528d28943d730b4cd1c","file":"/etc/data/file","alert_id":"6689136643.6830681","md5":"709e6d51cf40dc54144a18237f0c730d"},"malicious":1,"positives":"38","total":"138","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-04T11:47:57.693Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3957","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"45b30eaafbe6e67762d68787667c444c3ec7154a","file":"/root/super-script","alert_id":"0472478223.9179851","md5":"4a2baeac6285e81dec8ec5a0504d17d4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 24 engines detected this file","id":"4738","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5bf8e8260d9d19ae14e310cd6e067d74e32982a9","file":"/etc/data/file","alert_id":"0318982807.0471466","md5":"ce5a072c6895a8345fb336a8cb92e29a"},"malicious":0,"positives":"24","total":"024","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-01T22:51:41.973Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 51 engines detected this file","id":"606","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1040cd0c66b6b2ad352fc48bcce91357ae1dcea6","file":"/etc/data/file","alert_id":"0469992136.6623006","md5":"2a4be5a14b4e7675b68adab10057be44"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T12:17:46.782Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 7 engines detected this file","id":"1823","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d8090aff46fc9bd9066068fbd1f6c8a3f7faa687","file":"/etc/data/file","alert_id":"2885392026.1339929","md5":"670bb423e31d7fdd45ebf7ea64e1b9b0"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T13:13:09.887Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/sample/script - 62 engines detected this file","id":"4802","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d1184ae91f3bf8e608cb2730815b470f71524261","file":"/etc/sample/script","alert_id":"7000630934.0726808","md5":"2d37f3617bdcd3edd1e896ee4038b609"},"malicious":1,"positives":"62","total":"162","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T18:37:00.774Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 43 engines detected this file","id":"2007","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"10c12d816541792461286f56238b564ca51cc586","file":"/etc/data/file","alert_id":"4958068307.2402922","md5":"773c8a0bc0c05ff2eacd6bef8dd76365"},"malicious":1,"positives":"43","total":"143","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T13:49:12.757Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2759","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3799c4267884957b68b03e0f36653779550cf963","file":"/etc/sample/script","alert_id":"3809923251.9260284","md5":"e22927126064561e76609d019dff38c5"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4598","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"45231e55d7d433b570d0385a30f2c90f1652bf87","file":"/etc/data/file","alert_id":"5393112382.7207927","md5":"2f197cc79b0428022c749d271304d7f9"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 51 engines detected this file","id":"957","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3da5579b465d50867775c7533540aeb8b2e9849c","file":"/etc/sample/script","alert_id":"0797060127.7915384","md5":"2e18d4eb367ea5b97af6867b69ed1421"},"malicious":1,"positives":"51","total":"151","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T13:52:43.210Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /var/opt/amazing-file - 39 engines detected this file","id":"5801","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"21bbc88d8844e058b6815373c3c61c6a81168dde","file":"/var/opt/amazing-file","alert_id":"8942356530.1225996","md5":"91713bcbd46aa51937bd4f54d182de87"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T19:22:54.669Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4391","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"aa92ac3d8a0390e125beb885ceabcc1de7407abf","file":"/etc/data/file","alert_id":"2401147244.4084506","md5":"fe86db26e4cbdff25fc90c948b59347a"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/sample/script - 52 engines detected this file","id":"5791","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"686585d8523b34b3fc8434036ea8a72af13b74a0","file":"/etc/sample/script","alert_id":"7601302002.2989404","md5":"bb91d776a131511ee25bf5942a3ab5d4"},"malicious":1,"positives":"52","total":"152","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-01T18:10:04.431Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 8 engines detected this file","id":"330","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1deb218ece8f1637c8881fadcd0140b40138d5e2","file":"/root/super-script","alert_id":"4179987687.9424655","md5":"7f832a887f62baeba87c000cd1b8cd6e"},"malicious":1,"positives":"8","total":"18","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T15:04:34.081Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 33 engines detected this file","id":"4570","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cfc2c4f0946ba5ea2fbb683bb99aa12b80dd293c","file":"/var/opt/amazing-file","alert_id":"3425230023.1955937","md5":"b0250941dbf9b2df65fbd97a72ad5c8e"},"malicious":0,"positives":"33","total":"033","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T14:49:08.286Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 39 engines detected this file","id":"2822","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c6b9e3f455eb735cdd27d9e10f9a12d7c1ece00a","file":"/tmp/virus/notavirus","alert_id":"5044417668.8670832","md5":"bf938574b74ae1545d863dafe7f08793"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T04:56:39.334Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 64 engines detected this file","id":"5133","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5e0db14e21dfb890a06016feee1431476392cc06","file":"/etc/data/file","alert_id":"1331810407.0494045","md5":"05e79e09e38047d47f85a2baeeffc3a6"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T11:43:02.278Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 32 engines detected this file","id":"4008","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c41fc09914c0b4b025be2dddd3118a1e5e77833e","file":"/etc/sample/script","alert_id":"0990132669.4988173","md5":"2c28750ef4412020d35f489c6a354701"},"malicious":1,"positives":"32","total":"132","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T23:26:35.345Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 2 engines detected this file","id":"2174","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b4bf8e719000055babdd3dd8d62ca49e67870b30","file":"/etc/sample/script","alert_id":"3336766516.3609787","md5":"51d431c7e674382dae61ace0ac5da9f3"},"malicious":0,"positives":"2","total":"02","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-04T07:11:51.491Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3847","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"e8be1327926ad83e480da3e8ae3ed8e4e7f66245","file":"/usr/share/sample/program","alert_id":"3945043033.5724587","md5":"7699767603a27779fe5879beb4ea3e30"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4963","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8d31a565bb301829d43e9053f0fb6d56526813df","file":"/root/super-script","alert_id":"7995849666.7584907","md5":"b07cedeeaa5ca3b3b8a7d25c51a2d9c1"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3859","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"851989d58b713944c3d89d2d4ffff4680e1d705f","file":"/etc/sample/script","alert_id":"1696240416.2148658","md5":"f8f91084cf9e8a59fb840bfd0db7936d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"758","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"94014f2fe60ad7b0a8a9d8d1e94a1ca1dc4fb49f","file":"/etc/sample/script","alert_id":"9951397754.3573806","md5":"9807dc6e8ec4adf54e2c4037811a7f6d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 57 engines detected this file","id":"4243","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8ff14c520752ef7b0920148cef333916d76863f5","file":"/etc/data/file","alert_id":"0801455298.1599914","md5":"974615dd56530aeb220307b6284688a8"},"malicious":0,"positives":"57","total":"057","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T17:28:56.356Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 44 engines detected this file","id":"3951","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a9e6b0ccf6113e5d78b11c1a12b3c7c08c2134af","file":"/tmp/virus/notavirus","alert_id":"8189387733.2332786","md5":"305207d2f71b1d6bc8d1e373df0aafb3"},"malicious":0,"positives":"44","total":"044","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-05T19:27:05.923Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/sample/script - 17 engines detected this file","id":"1415","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2fd312d5b7279a51be49ccada4f1b81c79b81545","file":"/etc/sample/script","alert_id":"3625127089.4575044","md5":"00f3ee426209632833e7469feb7f51ab"},"malicious":1,"positives":"17","total":"117","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-08T01:22:37.049Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3699","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3849732edba0b8a9c05e822517b0fa88188d08bb","file":"/usr/share/sample/program","alert_id":"7909703627.8861595","md5":"f274290674c7916c21f0fab7640774c8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 44 engines detected this file","id":"1180","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4aebfbcb20af1500557fbb7c0d2ab23c797456ef","file":"/var/opt/amazing-file","alert_id":"5018176783.9342758","md5":"6df4d3b02a05671a56885b150e409123"},"malicious":1,"positives":"44","total":"144","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T01:09:47.732Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 10 engines detected this file","id":"4065","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b09d3ab3445bb41fd024b9fd549acf7a66785a17","file":"/root/super-script","alert_id":"4106435398.5806004","md5":"4112907a43a05b946d0067fac87f815a"},"malicious":0,"positives":"10","total":"010","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T10:53:22.352Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/sample/script - 10 engines detected this file","id":"5723","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c6d08647c5c274f8042b001714106fe42866729d","file":"/etc/sample/script","alert_id":"6256157083.3820043","md5":"47da41ee499ee25b914ce5919e52bc76"},"malicious":0,"positives":"10","total":"010","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T16:23:32.754Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /var/opt/amazing-file - 39 engines detected this file","id":"5933","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cb4f0efc19b57e35fdc32fd18badcd00aae1a5ac","file":"/var/opt/amazing-file","alert_id":"9463331746.6751480","md5":"b16d6e88c040b7beef549eca318e6639"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T12:47:19.920Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 7 engines detected this file","id":"266","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8cee2524948a20fd1cf5fb899441226318827f99","file":"/etc/sample/script","alert_id":"1569837656.8478196","md5":"7c82afb5ada05c599aabdeecf77380d3"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T13:54:12.589Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 20 engines detected this file","id":"2066","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f15a51eda1d8156ca2664ed37ec95cd84752b262","file":"/etc/data/file","alert_id":"2206344441.4758103","md5":"aeda0bd69dd7f79d17a073c831fe3323"},"malicious":1,"positives":"20","total":"120","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-08T07:49:20.351Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 3 engines detected this file","id":"3580","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ccf97e47deb7df51086031265e26592c810485ec","file":"/root/super-script","alert_id":"8250463886.3821844","md5":"75fa6e8d4a4413a21f590e98f049ff34"},"malicious":1,"positives":"3","total":"13","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T19:24:49.200Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2397","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"fd5e954ef0a9877ba00760620cd1e5520a8ff5d0","file":"/var/opt/amazing-file","alert_id":"9837268032.8901344","md5":"c6d846fcbcbe590d7931de0c56ecd20e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"402","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f26d416a05f17380feb74b5b3c17b305bf2bb178","file":"/root/super-script","alert_id":"9414330046.5889330","md5":"c216efc18a5139fcdf6bf3f21edd392f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2511","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2d1a7e1d7092fb93f7440421eea186d60d7b0f0a","file":"/usr/share/sample/program","alert_id":"5096318173.7100966","md5":"5314b3410492e1c746f45e2347d6b486"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 40 engines detected this file","id":"1984","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"20e3ba7e211906c11cc10e5ac922a8795711640e","file":"/tmp/virus/notavirus","alert_id":"4647374755.0552619","md5":"b503d74cb9abf5845028ed45a8f7db36"},"malicious":1,"positives":"40","total":"140","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T02:06:54.018Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 53 engines detected this file","id":"3741","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9a2f027ab78c6e9d42990226c028579c27d95edc","file":"/root/super-script","alert_id":"3848065797.5536319","md5":"77a6315a9a3ef448a0f64dd51f635135"},"malicious":0,"positives":"53","total":"053","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T15:22:18.694Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 48 engines detected this file","id":"3905","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c856d5632d76d021b1f6617d4b4c94c273e47037","file":"/etc/sample/script","alert_id":"9614247438.8273621","md5":"76e52515f71eb5bf3d45d13923479288"},"malicious":1,"positives":"48","total":"148","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T08:26:52.617Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4844","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f489229b439e21927111e0c90b6eace611129fcb","file":"/usr/share/sample/program","alert_id":"9274739453.9178277","md5":"fe1d3abe4620d45c6fa47caf6c0d7c9a"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /root/super-script - 35 engines detected this file","id":"5222","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4c8fa10519eeb824ca49844707920f743e45fb44","file":"/root/super-script","alert_id":"8662734319.3843684","md5":"64bd92d204efebe209e5c9bc38a10c5c"},"malicious":1,"positives":"35","total":"135","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-08T08:40:56.404Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /var/opt/amazing-file - 3 engines detected this file","id":"5570","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"72674dfa461a5790ecf59958f6027fd2b69ac0a4","file":"/var/opt/amazing-file","alert_id":"2166823934.1033046","md5":"5989ac6cf828b3743a42a0b15e9b4fba"},"malicious":0,"positives":"3","total":"03","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T09:47:25.491Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /usr/share/sample/program - 49 engines detected this file","id":"1194","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"91f4c505ecd13e8b49a64466a815eb93a1e5d9c1","file":"/usr/share/sample/program","alert_id":"7815914188.3128583","md5":"39ee77f5e361a52c1aa63f7cce7b5726"},"malicious":0,"positives":"49","total":"049","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T08:52:19.545Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 29 engines detected this file","id":"1868","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6302a07a05aabef34b88ea7e94c59343a4756214","file":"/etc/sample/script","alert_id":"0292875363.7564534","md5":"6761bbb65cfd204a232ce1f5217e48f1"},"malicious":1,"positives":"29","total":"129","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T06:07:51.274Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /root/super-script - 9 engines detected this file","id":"25","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4dfa263ae57c4a46274168cc56802a2c99f98bf0","file":"/root/super-script","alert_id":"2991010852.3283244","md5":"d5717ebaa1608ecba5033869d2aeefee"},"malicious":0,"positives":"9","total":"09","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T14:37:32.242Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 17 engines detected this file","id":"1742","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3f69f0cedcbcb610f44852e7b01ed6e4cf0fb2b9","file":"/tmp/virus/notavirus","alert_id":"9426745767.3404086","md5":"106ad7a0e5e2de332de3f0161ba5c4a2"},"malicious":1,"positives":"17","total":"117","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T13:03:12.543Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /usr/share/sample/program - 1 engines detected this file","id":"360","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cd320c28a384b1a8bf34d6ece29a046ed4a3f792","file":"/usr/share/sample/program","alert_id":"2296103250.4517474","md5":"32cc4db7099625628c6adea3da7e561a"},"malicious":0,"positives":"1","total":"01","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T13:23:21.310Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 47 engines detected this file","id":"1329","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"12555a420e5f9f25f7319583a5706e24d80e3b86","file":"/etc/data/file","alert_id":"2597247235.8294388","md5":"6cb24704703aa54720c26cfb257b565c"},"malicious":1,"positives":"47","total":"147","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T00:30:13.930Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/data/file - 49 engines detected this file","id":"5179","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"03163825d839b604f3df207da2272b59771deffd","file":"/etc/data/file","alert_id":"7066737322.0765509","md5":"ad88a7e93e88c69b44103d2dd4468497"},"malicious":0,"positives":"49","total":"049","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T13:56:24.855Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 11 engines detected this file","id":"3510","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"372b48d5cd9d297169e93fe5e5992f2aafcead57","file":"/root/super-script","alert_id":"3119676354.8247226","md5":"0bcece6209e8c1829448484d0bc86ee2"},"malicious":1,"positives":"11","total":"111","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-08T10:11:28.075Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 36 engines detected this file","id":"1138","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e822d217d6c63b3b467fd714179a085d21c02576","file":"/usr/share/sample/program","alert_id":"5155947574.1412960","md5":"fab003b17fb362525401172bb56c8a2c"},"malicious":0,"positives":"36","total":"036","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-05T16:55:32.451Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4414","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f69a5174a6e037634fd49c75367ea649b4604aac","file":"/var/opt/amazing-file","alert_id":"0454804575.8192248","md5":"7c7d7ae9cf1b59c18d272ffec0565ac9"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2859","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a7f7644d406f5d3bed77e1e7785715cca78042bd","file":"/etc/data/file","alert_id":"3095691231.6542792","md5":"f49c0227e3ed9e9e999d9378ca999d2b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 64 engines detected this file","id":"3079","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dcc9b7c035d9e92434b9ba6e3471f6405865a112","file":"/root/super-script","alert_id":"5006477611.5404514","md5":"7c47d966f3c8cccf62cb60d49fae8961"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-01T12:12:21.703Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 61 engines detected this file","id":"2784","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"08fa6540e6545f1bb92e8cad8fb06cecb4cb855a","file":"/usr/share/sample/program","alert_id":"7333426574.3466233","md5":"c6509c30396a08b0d3d64ef31a5ae21c"},"malicious":1,"positives":"61","total":"161","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T13:14:25.660Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2764","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7483e09e087b64a37e2df4b42ef75c5866a042bd","file":"/etc/data/file","alert_id":"5198435340.3177579","md5":"c1a1c40ce65773159249deaa7741b102"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2944","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7fe62ff68e7f650ec3345e75fbebe3bc9bf32fa4","file":"/tmp/virus/notavirus","alert_id":"7557762592.5991874","md5":"2b3ec47bf3ce040480b530bf288abca5"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 58 engines detected this file","id":"233","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"03a1cdcc7b4a68d2166f5ffdc43258847a3cddc5","file":"/tmp/virus/notavirus","alert_id":"9113979147.0152815","md5":"0081716cceabc66c417cb6f6f9f50827"},"malicious":0,"positives":"58","total":"058","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-08T09:16:03.410Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /var/opt/amazing-file - 37 engines detected this file","id":"1026","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3ab1d2cf7dfbf4d7d8554dea3654fdd9328ebf6e","file":"/var/opt/amazing-file","alert_id":"5343362670.1392325","md5":"4cccd0a3177834526b8808b55d095dde"},"malicious":1,"positives":"37","total":"137","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T13:38:15.778Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/data/file - 12 engines detected this file","id":"3864","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ccfc59508e460197eefa65efd009cf99717d8d66","file":"/etc/data/file","alert_id":"8123844196.1663943","md5":"0a5df2676ba5279d1428971b2cbb9a67"},"malicious":1,"positives":"12","total":"112","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T14:41:03.411Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5581","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"cf07b6eb189bcfbb049d16a30432ac8e54657c0b","file":"/etc/data/file","alert_id":"8437332651.0847117","md5":"51fac9e793cab6dec961d99255736067"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 36 engines detected this file","id":"3119","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8ebf38f12e85a1669dc1f1a787b2dc08f1f85353","file":"/tmp/virus/notavirus","alert_id":"6414979753.5023555","md5":"cf4c7a7ec17888039fa426be716e29a7"},"malicious":1,"positives":"36","total":"136","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T08:35:59.899Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 58 engines detected this file","id":"4466","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2fe6de9c09e295cc3249a4780a4d98f3425f0c27","file":"/root/super-script","alert_id":"0320177534.5965454","md5":"08ad15e006ccd5545886e0ac734faccd"},"malicious":1,"positives":"58","total":"158","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T08:48:55.878Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3557","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6a7eb0e688a543df865d07eb5129ae273398eed4","file":"/usr/share/sample/program","alert_id":"6311193208.8760066","md5":"aa6dd571fece6b1f6899d17a9c5f8b92"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 65 engines detected this file","id":"88","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"63959e3bf66d5f61eed1c1158e038c8b7055fe5f","file":"/etc/data/file","alert_id":"0817942112.1757341","md5":"d12753808328639d1463faf209711ab2"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T23:21:36.780Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2688","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d21744c149d660ac2597a6ca265ab62ee191c498","file":"/tmp/virus/notavirus","alert_id":"5542686773.5725787","md5":"4414bcab563830f9ad01b1450b00df7c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2045","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ab2ead725ea336b01cfa1ce88d9e3296ef6f08df","file":"/root/super-script","alert_id":"2182317259.2282567","md5":"eb2faf3d7825e25fa31266d3143e9105"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5578","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"59afaca034a404b44ca0c7749d48a9d4dc95608a","file":"/etc/data/file","alert_id":"0127138559.9325434","md5":"36e85a7ea70c1fa054946bc3bee222bc"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 41 engines detected this file","id":"3538","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1358bafaa7da6555775573a62b93d14b77513d35","file":"/root/super-script","alert_id":"6304311900.8334755","md5":"d47279546e733abffb6c2de7e56d6689"},"malicious":1,"positives":"41","total":"141","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T03:37:54.589Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 57 engines detected this file","id":"1032","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8b5389a88406118f3edeede35a12aef282bc3e21","file":"/etc/data/file","alert_id":"0850379777.3026314","md5":"46dfd0f39f14f163fd08752016bbf2c7"},"malicious":1,"positives":"57","total":"157","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T18:25:35.205Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5335","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"93d01ba5bfc3f37a4223977faf0cb437da0dc2fa","file":"/root/super-script","alert_id":"2372123796.0465529","md5":"01f10484e84f8bd54ecea6c7c81e4cb0"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /var/opt/amazing-file - 63 engines detected this file","id":"5315","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"16bb7bb1155ce2c7a5d152b978b97dc23bcbe150","file":"/var/opt/amazing-file","alert_id":"1469194881.1582669","md5":"11ab89c6ae7f9b3f2e43d703bac388d8"},"malicious":0,"positives":"63","total":"063","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T07:55:38.599Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 51 engines detected this file","id":"820","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"098cbf71678a6862797d5a4cc0bca670994515ac","file":"/etc/sample/script","alert_id":"7387112736.4619189","md5":"99bf246b6a930a18ac03959b55499cc3"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T15:06:23.973Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5919","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3a2b159785f56f2f37555c3d8f5ecbf9424cfa49","file":"/etc/data/file","alert_id":"0751285813.2696831","md5":"db9bc72b963b3d26247fba5b4c0be8d9"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 8 engines detected this file","id":"4889","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"26e01809ecbd01f463fd1a2e0b00f4d408321a1f","file":"/var/opt/amazing-file","alert_id":"1627426530.6039158","md5":"d5a3c6060621bdf2b50f27206250bb02"},"malicious":1,"positives":"8","total":"18","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T21:45:41.950Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4199","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"e8bf2f28d36f931fb2091b09b4f13ef68072eccc","file":"/tmp/virus/notavirus","alert_id":"0285770866.7191064","md5":"71dc6619c8dbb5b1f8d6dad4ea2a77ae"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /var/opt/amazing-file - 1 engines detected this file","id":"3632","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"111a4146a6c6f443044ca557917a12f6f93d0c24","file":"/var/opt/amazing-file","alert_id":"0639815683.7810228","md5":"91dd17ee2b921f7f4026cc8ad29f176c"},"malicious":0,"positives":"1","total":"01","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T07:56:13.512Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /var/opt/amazing-file - 15 engines detected this file","id":"398","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5749f842447c3650e69a9b2fe720755b85ef5d51","file":"/var/opt/amazing-file","alert_id":"3349276570.5239210","md5":"ca0d1c847ee9d49074c3bd20ecf190e4"},"malicious":1,"positives":"15","total":"115","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T23:01:58.299Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /var/opt/amazing-file - 22 engines detected this file","id":"3722","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c3dbaaf0c490e020500da2022d236997979739bf","file":"/var/opt/amazing-file","alert_id":"0675328064.6621107","md5":"10f4a814576c618259029b0dab57f07c"},"malicious":0,"positives":"22","total":"022","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T19:11:53.874Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /usr/share/sample/program - 43 engines detected this file","id":"3566","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"03c63a4940e10a68e1aab16ba112eddb606c8181","file":"/usr/share/sample/program","alert_id":"1984587272.0927104","md5":"834a7f504088fb72a28b64ec5d1b813e"},"malicious":1,"positives":"43","total":"143","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T21:39:52.646Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 19 engines detected this file","id":"5507","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"233d78989183ac662e8ab91246aa28a9ae875f0c","file":"/etc/data/file","alert_id":"5838516687.5207015","md5":"0c4876c92f6d7f42aaede4bfd00a0f89"},"malicious":0,"positives":"19","total":"019","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T07:36:15.015Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5984","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"5e14fd3980726982279ad4a0c2a644932a593dc4","file":"/etc/data/file","alert_id":"5095616371.5427299","md5":"1a77c6bdd1db00c5e9e570a46bd0a656"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 12 engines detected this file","id":"5447","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"277eefe3cef9a96e857d19f72f23904fd9b1e8f2","file":"/etc/data/file","alert_id":"4252300558.5178081","md5":"c6d4f05d08c5eea892e41041e38cdebf"},"malicious":0,"positives":"12","total":"012","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T13:37:48.276Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"407","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"72ef9305a013491e9a45f625dd4d800832ff9b42","file":"/etc/sample/script","alert_id":"7913402866.6485180","md5":"be83768e4f7fae8c7eb6d5d0bb981b0b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/sample/script - 43 engines detected this file","id":"1157","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"260b689f659d5165ca67b8a743a27894abde9005","file":"/etc/sample/script","alert_id":"4183695877.4145887","md5":"6eabe297fd281463a0f15f1114579964"},"malicious":0,"positives":"43","total":"043","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-07T17:41:50.719Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /usr/share/sample/program - 63 engines detected this file","id":"2084","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"30486b03873e9a0f342a670a42abcbaddb5b820c","file":"/usr/share/sample/program","alert_id":"1043087427.5217408","md5":"99d5b02d3bc2fa11e0dd74137a62294d"},"malicious":0,"positives":"63","total":"063","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-08T01:04:18.351Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 19 engines detected this file","id":"5037","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"fa4d40d02c5bfe0930082405ccdff6d118581582","file":"/root/super-script","alert_id":"3151891025.1039811","md5":"0447912a4b4a565442f047513eb069e6"},"malicious":1,"positives":"19","total":"119","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T00:25:14.250Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 19 engines detected this file","id":"4045","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b1def6b1c54b9a0e3f76207accb0919d088a5627","file":"/root/super-script","alert_id":"5073687743.6549805","md5":"f56253978d8c8c0d9ed80e9ea093018d"},"malicious":0,"positives":"19","total":"019","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-04T18:17:10.360Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 49 engines detected this file","id":"1679","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3d515949711ee0348f8c6ff0e41b99040175f9a9","file":"/tmp/virus/notavirus","alert_id":"7532926439.7272316","md5":"c87424d0e8c614346403a09b3c3249e6"},"malicious":1,"positives":"49","total":"149","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T10:54:45.178Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5801","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f171934d69417d67b106e8a445604d71b08e641e","file":"/tmp/virus/notavirus","alert_id":"8618862729.5647502","md5":"58116375070202406bebbad6e0c0e759"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /var/opt/amazing-file - 3 engines detected this file","id":"3489","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"050a55b7bc5b1e0f75d50013b3ec471c90e08070","file":"/var/opt/amazing-file","alert_id":"6900851323.9581542","md5":"7f826e9b31bff658eb06d22ccd7ea335"},"malicious":1,"positives":"3","total":"13","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-04T04:21:21.511Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 22 engines detected this file","id":"696","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"fd3ebc962405fbe7d6ebabdf579d54ad43ca9a24","file":"/etc/sample/script","alert_id":"9122888818.9139637","md5":"e48bcb0feebae141bc83426cd5755672"},"malicious":0,"positives":"22","total":"022","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T22:15:37.112Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 26 engines detected this file","id":"601","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"03b2fe21122d5b5ca32de485cef73483d0ada8e7","file":"/tmp/virus/notavirus","alert_id":"6711082770.3740731","md5":"c4663840a82e02131777c88d8df7d4ff"},"malicious":0,"positives":"26","total":"026","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T04:56:58.061Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/data/file - 13 engines detected this file","id":"3996","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cc0ac7fac528500d58428d6615501047ff9f4f2d","file":"/etc/data/file","alert_id":"9646578425.1445295","md5":"f9e0dfde6ce7a4648160bf2bf008c1fd"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T18:31:55.328Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1632","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"acf3b9bc8746f76c2da73c09693e32298b9f9f00","file":"/usr/share/sample/program","alert_id":"8021504904.6327686","md5":"0ac60297b40498498b64d0f2637b6341"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"387","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"53d4d92bbef8b2bdb95ef661ff3f724aa9dbf4c1","file":"/tmp/virus/notavirus","alert_id":"0307230745.4222979","md5":"caf7c76058674a02d5925d8575a37422"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4017","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"5e179e42f57372a022b65bacc3bb1703ac47d010","file":"/tmp/virus/notavirus","alert_id":"8977442439.5851861","md5":"24ea3d6273394212b16095ca7568bab1"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2178","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6d20b03968c745e5cd359a92509cfec281bd5cf3","file":"/usr/share/sample/program","alert_id":"4850897080.2731507","md5":"66a68d7dc655fb13e408c33e410511b3"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 40 engines detected this file","id":"3181","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0c1cee843bd037e117a319800803e2f67cc19c45","file":"/tmp/virus/notavirus","alert_id":"6410552385.7508594","md5":"bfbec7079d885457a59df952a33b96eb"},"malicious":0,"positives":"40","total":"040","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T04:24:21.503Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /usr/share/sample/program - 8 engines detected this file","id":"4579","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a283ec0c3dcd0dd58911b5bbb8f84e77878cc1c6","file":"/usr/share/sample/program","alert_id":"5712620375.8148385","md5":"58c9ede38d4eeb27f45208669470e143"},"malicious":0,"positives":"8","total":"08","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-06T06:52:03.188Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/data/file - 55 engines detected this file","id":"2953","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3c78357677c5c3a9da63cb6d6c318e48f7d8fe57","file":"/etc/data/file","alert_id":"7671677829.3700801","md5":"1c5c5ed8df54bdfd2b7c1cc6d3eaa701"},"malicious":1,"positives":"55","total":"155","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T19:41:13.474Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 14 engines detected this file","id":"3303","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"44fd9341867b79d3fd4b5b6348b3a9722ce87758","file":"/tmp/virus/notavirus","alert_id":"2026764695.3128229","md5":"00a90db515c381c39c5ec262b99c5e48"},"malicious":0,"positives":"14","total":"014","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T11:17:52.400Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 55 engines detected this file","id":"3039","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b474fc95263a22e83189f909a2fc3897adfed315","file":"/root/super-script","alert_id":"3366517839.1733389","md5":"9f9ecf77edd4bdcb085b192ca3cf312c"},"malicious":0,"positives":"55","total":"055","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T00:01:37.064Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1348","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6400b508392ab03e68d4a82668d05a1b3255b5b2","file":"/etc/sample/script","alert_id":"0152999793.5968099","md5":"0a925956c9fb7b70a2ec2cd94be12104"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 30 engines detected this file","id":"5822","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bbf4bd5b9c74eab4662299d6b8951a34592dddee","file":"/etc/data/file","alert_id":"9874726807.0418750","md5":"05e5e1bb9fb93428fdd4ed601ccb4e35"},"malicious":0,"positives":"30","total":"030","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T07:27:32.838Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2155","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f69fe34f0ec4e1de20053d3d16cce887e59ef158","file":"/etc/sample/script","alert_id":"8019653113.0224557","md5":"a516df3af432a7b2be8fdfd6e32afcd8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3909","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7590421ad9913368a33200649e41bdc60e7c53f9","file":"/etc/sample/script","alert_id":"1665543288.5127691","md5":"f5e2be8417b03425692f46e7a07e99c6"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"656","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ca7769fc62f73e2c6e33ef700cdc3cd57aa6b217","file":"/usr/share/sample/program","alert_id":"7473466094.8077218","md5":"ba7a6f22b6e9115dc7f17e3c13ecd0dd"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4115","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3b342743defa278bda283b79550e6a7065072cd6","file":"/usr/share/sample/program","alert_id":"1548650276.5844869","md5":"39503dd522600db23a58f985a4f01e34"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /var/opt/amazing-file - 56 engines detected this file","id":"12","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9a618ef6fdc5f0e1ce90f5dc2f241dc569e57406","file":"/var/opt/amazing-file","alert_id":"4037555791.2318348","md5":"ed957e96cb344b36fb92ab6b4c7accc5"},"malicious":1,"positives":"56","total":"156","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T22:04:47.913Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 16 engines detected this file","id":"3250","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2fce3a3170baf1302aaa22bba73ae16416b3750a","file":"/etc/sample/script","alert_id":"4347857334.4913773","md5":"d88c6ade0f5cc9707517274ce197041e"},"malicious":0,"positives":"16","total":"016","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-03T08:50:40.621Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4766","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"969c9cb6557607b65a9c7abf53a94f4b5cc554d4","file":"/etc/sample/script","alert_id":"5376347329.2692767","md5":"5bcde58a68d27124ad968739c09ead58"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /var/opt/amazing-file - 31 engines detected this file","id":"3846","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a7a59e1ba8eb6b08cc249c19a2ee1659cc12f5b2","file":"/var/opt/amazing-file","alert_id":"7274215430.0350524","md5":"86d6582ce9b0aafb7e7edcccd7a6f1d0"},"malicious":0,"positives":"31","total":"031","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T20:31:38.675Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5598","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"c6324cd9d14069bcd19f0cf2b9bcea8920799c0c","file":"/etc/data/file","alert_id":"3537941079.3920246","md5":"111ea0d5c5e2cc1d015449bfcc1ad6a5"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/sample/script - 64 engines detected this file","id":"670","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"06cb873f5c41766e8b0cf812debc9444438136ed","file":"/etc/sample/script","alert_id":"2731298475.0207357","md5":"3d24ffd37b801892d0ce25b1b68051de"},"malicious":0,"positives":"64","total":"064","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T14:20:47.789Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /usr/share/sample/program - 51 engines detected this file","id":"4093","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"28821899f813cd2111d370a952933c28147f26c0","file":"/usr/share/sample/program","alert_id":"7673973947.1345156","md5":"b41c99ae42eee57db7470e61079622b8"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T02:28:51.525Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/sample/script - 58 engines detected this file","id":"3925","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"90f167d7a67d29fe4a93f58d01e83bf6755d5810","file":"/etc/sample/script","alert_id":"6629081316.9584124","md5":"451fdfe09a9feb64c38ba6859232ba46"},"malicious":1,"positives":"58","total":"158","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T15:04:47.895Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /var/opt/amazing-file - 54 engines detected this file","id":"700","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a704dd3b9f77a039c09fd2915a17b9a137c3589b","file":"/var/opt/amazing-file","alert_id":"0747666263.5524927","md5":"6dd1b3564f71440b8bdd8ee5c8a68172"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-08T08:08:48.823Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /var/opt/amazing-file - 10 engines detected this file","id":"4426","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5f55345cdd175afbf868f82038546fe15110da69","file":"/var/opt/amazing-file","alert_id":"8664854648.5004696","md5":"955d68206ecbcb4d16ea75680379e1d1"},"malicious":1,"positives":"10","total":"110","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T03:52:07.264Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 20 engines detected this file","id":"961","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"115d2d9662587af046cf032543060118a0c5bdf2","file":"/usr/share/sample/program","alert_id":"4845140695.9043215","md5":"d71ba92f9c65dcddab40a24bc946dca0"},"malicious":0,"positives":"20","total":"020","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T05:54:45.934Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4683","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ea9992ff02bf1550da64bb9ea5444f2b255e7024","file":"/etc/sample/script","alert_id":"1968324225.1242828","md5":"9ed9c34ad18d4de860a2a5b4ae8fffc8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 27 engines detected this file","id":"2784","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9a5b4e066dfdeb4978a8870a8558243a8ddab0c3","file":"/root/super-script","alert_id":"6793142573.4355144","md5":"08d219e8ae2b8e24d7f2449806cfa3ff"},"malicious":0,"positives":"27","total":"027","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T04:35:24.625Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /usr/share/sample/program - 13 engines detected this file","id":"3091","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"321483b7afd035cc2891fa96355b18149f019dc7","file":"/usr/share/sample/program","alert_id":"0161186870.1572334","md5":"315a93cd0a7711069417d5c03f84eced"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-08T09:24:33.979Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 30 engines detected this file","id":"4130","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"043579366c42de7c090fc82606feb9bbccad2bcf","file":"/tmp/virus/notavirus","alert_id":"2424287725.8288861","md5":"e6cc8c4ed070983ca270015962257a3c"},"malicious":1,"positives":"30","total":"130","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T12:38:29.313Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4990","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"42c81baf7905752d92663f1c5144ef96127599be","file":"/root/super-script","alert_id":"6253869341.1051180","md5":"f658a2dbe54eb7be2be7ae964b4d79e1"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"663","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"060897d838aa06a17b07e9a8862e8353b66425ee","file":"/root/super-script","alert_id":"1922519063.5210475","md5":"61e805496aa9bb7fa3f19a7c75314f7c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4629","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2f1210251820213eb7bf95cc4e49c5a5be57709c","file":"/etc/data/file","alert_id":"3438541943.6671803","md5":"cf213c72452d0760eb37b1637a7769af"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 28 engines detected this file","id":"1531","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1aa6b28a4bb024b5e93762602850c5ebc8584314","file":"/usr/share/sample/program","alert_id":"0300844716.9024953","md5":"ce202fe59e2d06465827a96d44332bde"},"malicious":0,"positives":"28","total":"028","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T07:02:54.563Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 44 engines detected this file","id":"2627","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b7d7f21fb7c0421e7287f9b5d36230fca7e4c9e3","file":"/etc/sample/script","alert_id":"7113452492.2903764","md5":"5b4e73a3ec2a6abff5c46b79c0096ca7"},"malicious":0,"positives":"44","total":"044","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T22:43:16.518Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 48 engines detected this file","id":"1504","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b315286a9160d1e39083d25d556673d970649042","file":"/etc/data/file","alert_id":"5983046893.0756145","md5":"816dc0ad71f84e18dce1d7885d57a73b"},"malicious":1,"positives":"48","total":"148","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-08T08:24:07.512Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 12 engines detected this file","id":"339","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"07e70e6da9dc618f54b8aa2abdf3c240fd5f5bad","file":"/var/opt/amazing-file","alert_id":"3147213538.5934205","md5":"f1b608682660e83910047afc181fe4a1"},"malicious":0,"positives":"12","total":"012","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-07T01:23:22.338Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1379","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ed2995964500f3f9cf6865f971dfc70b4674da15","file":"/tmp/virus/notavirus","alert_id":"4688177085.4418668","md5":"16c443246e854c3f11b26375f89b54dc"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /usr/share/sample/program - 63 engines detected this file","id":"971","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d82465d60f4a99962e6b6a1e827683580e7aca1d","file":"/usr/share/sample/program","alert_id":"8003659725.2194319","md5":"4aa7411eb49535a171ec59a42a61c68e"},"malicious":1,"positives":"63","total":"163","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-05T12:18:47.684Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 47 engines detected this file","id":"2487","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"898700b32fb9cca9c3855d26c5f3320ff802dc72","file":"/etc/sample/script","alert_id":"6838270135.6525994","md5":"f15c6b2e4ef5309e634f853b48f970f6"},"malicious":0,"positives":"47","total":"047","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-02T02:56:28.184Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /var/opt/amazing-file - 31 engines detected this file","id":"3405","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"04b8aecf762dc753914ec95371425e498ad3b3d4","file":"/var/opt/amazing-file","alert_id":"2488480949.7783884","md5":"17b4850feb915ae6c631cd7c78a66eb4"},"malicious":0,"positives":"31","total":"031","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-01T23:47:47.732Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 2 engines detected this file","id":"2306","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f00060ed5240b1b33a400e5b4ec20098933f3ddf","file":"/tmp/virus/notavirus","alert_id":"7023894560.3756363","md5":"fdc9297764fe175bdae0b105db0a640c"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T02:54:21.048Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5122","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"c99f816da98b4d0e9775f900a336408616b0dabd","file":"/usr/share/sample/program","alert_id":"0714929402.3080775","md5":"65bf890070fa88a1bf5360edaef15cf7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 5 engines detected this file","id":"70","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"88087085a58919217959900add2ddd8722796241","file":"/usr/share/sample/program","alert_id":"5874792076.9623134","md5":"d667f9d94d2b31534ad1b8dacc330348"},"malicious":0,"positives":"5","total":"05","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T07:59:49.303Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 23 engines detected this file","id":"4146","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d824b700044a67c40e460a11c0cab70aa716cf2a","file":"/etc/data/file","alert_id":"5525640536.4378698","md5":"7c100e886e42b36c3c1f3700cd6cc3d4"},"malicious":0,"positives":"23","total":"023","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T22:21:53.579Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1748","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"61ba9dc48ce10b5cbdfff870efb0455f15aa9a52","file":"/var/opt/amazing-file","alert_id":"2601826131.9236859","md5":"4a9a0b8878c1e6cca639f674ed4ecdd7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2074","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"087090e3dc9333613d92d7b9cdc4b9821af7c78a","file":"/etc/sample/script","alert_id":"4658636180.5381722","md5":"b4b9acf8422249f04b6071818ad141f6"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2279","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ea082fa4349a94e00372973fb876f62b80aec0a3","file":"/etc/data/file","alert_id":"4850366849.5192628","md5":"7704b3e72d07a0285125140de8472443"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /var/opt/amazing-file - 0 engines detected this file","id":"3862","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c78161203c7c360e02a20d4f49a8e71cb714910d","file":"/var/opt/amazing-file","alert_id":"6556012586.0402255","md5":"73888a9715e2032750773f956d6a9c0e"},"malicious":1,"positives":"0","total":"10","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T22:40:09.152Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 7 engines detected this file","id":"2521","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"75fad5c605769d4378a3f22cc1734c5c18b2d224","file":"/tmp/virus/notavirus","alert_id":"9832459848.2117203","md5":"127cbd02efc441c58e4e1f9634ef5683"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T13:31:49.648Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 65 engines detected this file","id":"2647","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f92e8afbf0773bc9946fe24adc935b9b0f879df5","file":"/usr/share/sample/program","alert_id":"4065831261.6344886","md5":"a8e8155556a88a40cea69a297dbd1cda"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T10:27:51.730Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /root/super-script - 43 engines detected this file","id":"3927","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ce9ab3d3d2a0a1a850a9a0c93c4e61e6b6927404","file":"/root/super-script","alert_id":"7409005053.3708727","md5":"584f020dc9141ea9949b2ad650813198"},"malicious":1,"positives":"43","total":"143","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T13:44:10.779Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 53 engines detected this file","id":"4982","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ccf25579f293c95d53c7bba44a7504ca5712edcf","file":"/tmp/virus/notavirus","alert_id":"8485566192.9772655","md5":"cab4f0cd4342bcad34ee0b16277bdf35"},"malicious":0,"positives":"53","total":"053","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-03T04:25:35.158Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 37 engines detected this file","id":"1308","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c157c4e06b4f6939c75590725c55c5822a1757f5","file":"/etc/data/file","alert_id":"1967697574.4088044","md5":"7ba70f0c05bdc6543f93bcd9fb3e32cd"},"malicious":1,"positives":"37","total":"137","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-02T05:02:36.578Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 7 engines detected this file","id":"1106","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9fcbf8429d5c02763b7bc6c62cfddff3dc6e2a73","file":"/tmp/virus/notavirus","alert_id":"1497391145.3233273","md5":"d9fdb68669acc6dda04440f2dc3ed44d"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T02:35:12.067Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"289","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"831f78909e19014d92205720fd647f5bcb2a4639","file":"/root/super-script","alert_id":"0357326139.3425778","md5":"c43fe147df9f885d886bcc6112333696"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5400","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"4f38f576ad2cf8fe8eab72dda10aed62691ce2e9","file":"/etc/data/file","alert_id":"0190529855.7817653","md5":"d04b7cf920a14b2ac7ad566ba4700e94"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /var/opt/amazing-file - 61 engines detected this file","id":"655","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b22452516a20aabc4f05fc822faead8c90039012","file":"/var/opt/amazing-file","alert_id":"7389703701.7047959","md5":"ee208976540b86a4f8d0aeaefeabdeae"},"malicious":0,"positives":"61","total":"061","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T03:55:11.000Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 8 engines detected this file","id":"100","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"21c6392a6c1378a83348d13eb98720bb87832080","file":"/etc/sample/script","alert_id":"3485672326.3435460","md5":"53f5c29c6fcf0addf8a8a0a0c48fea16"},"malicious":0,"positives":"8","total":"08","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T22:03:28.070Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1080","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"5a52251243a1f81c74134ff21b9afa13471e15dd","file":"/tmp/virus/notavirus","alert_id":"4991321111.7808172","md5":"d1b1eafda6bcb0f8c6d3e5c47de128cc"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3838","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"4c890615032d44d007615d2ae90d9641d213a776","file":"/etc/sample/script","alert_id":"5444491938.8162606","md5":"9f12b30cf7d7fd01fad66eb63134d3ac"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 30 engines detected this file","id":"2006","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4425a60deb10153119238a73f2f60fb7bb281aab","file":"/root/super-script","alert_id":"9738349169.1018726","md5":"a83b53da785997f703e60e6355f80adc"},"malicious":1,"positives":"30","total":"130","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-01T23:19:23.851Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 32 engines detected this file","id":"113","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3ba315b76b3b31c256d47486410216f3267350e1","file":"/tmp/virus/notavirus","alert_id":"4787592758.5249153","md5":"2e37772c36e6b4b562498fc30426d94d"},"malicious":0,"positives":"32","total":"032","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T08:57:30.964Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 40 engines detected this file","id":"2458","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"996ac2b249ac31472ccc798673802eb5373dbb3e","file":"/usr/share/sample/program","alert_id":"9972946784.5704361","md5":"1d268727dbabf812f4979b9b5920ea48"},"malicious":1,"positives":"40","total":"140","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T01:29:17.165Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /usr/share/sample/program - 53 engines detected this file","id":"3477","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6aa68ec0cf674cdfcd2629de8cec608d759d550e","file":"/usr/share/sample/program","alert_id":"8728328128.3127251","md5":"454b71a5cf3b15abb5298b939c1948ef"},"malicious":1,"positives":"53","total":"153","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T13:18:05.523Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2345","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1bde1df266d8c0e6fdaaf4c1505102aac90b1df5","file":"/etc/sample/script","alert_id":"0913173810.1816447","md5":"80d4bb7c4ba16a6eeda92284b9d3eeba"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1471","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"cf9b59cec2a7ef104afa8c9188da18656b12f41f","file":"/var/opt/amazing-file","alert_id":"6975382235.3307857","md5":"033fbd0490b6d8e35d7f1ced52d937ca"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"77","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"01c55ad2e13b39d2f5f3b0256c11c840c00b4b89","file":"/usr/share/sample/program","alert_id":"0443285377.9747421","md5":"5f886f4c2acca2fd5c65b7dbf420e731"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3277","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"884d6603b045f5733dca7aba31eb9ac31512e772","file":"/etc/sample/script","alert_id":"0319847169.2273105","md5":"2da1f42807d34abcc15e058736a21219"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /var/opt/amazing-file - 51 engines detected this file","id":"2359","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c13c0c3ddd2b502290333ae8c9c46dea438432ba","file":"/var/opt/amazing-file","alert_id":"6276764021.4374214","md5":"2d89a9b42900ba1807d79c257bd9fd75"},"malicious":1,"positives":"51","total":"151","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T05:56:05.425Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"263","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"544ad255deea3566e4a48b7d70c532114470c1f1","file":"/etc/data/file","alert_id":"8699168766.6725461","md5":"af6fee6a51a9edc71a540f7fb7c93e0b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 46 engines detected this file","id":"5270","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a80438fb346e25bb79727a7765551f16b36def2f","file":"/root/super-script","alert_id":"0923105453.6962896","md5":"90b8b10373050e5dcbc75319def9893e"},"malicious":1,"positives":"46","total":"146","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T11:51:01.617Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5290","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"9580547df4b9732c28a9a443b12e60e2edb10231","file":"/var/opt/amazing-file","alert_id":"8685217131.0136561","md5":"dafeea18d8c6e2c1d1bdf85c682f86bc"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 43 engines detected this file","id":"784","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ec36e07267dd67af4fa5200b80e827d48a589347","file":"/etc/sample/script","alert_id":"8646855574.7319586","md5":"9141920147b2c4dbd53a281f97890dc6"},"malicious":0,"positives":"43","total":"043","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T06:20:40.906Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 5 engines detected this file","id":"560","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2fb6b07a5ce3f9dd30a6d020979e0f11c34c92a0","file":"/etc/data/file","alert_id":"1442724515.7342843","md5":"4e9402c30c9690d19428b46ddf599849"},"malicious":0,"positives":"5","total":"05","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T02:37:23.764Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 0 engines detected this file","id":"4517","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ac5fe0166979a53040f865707eb3b44f9260b85b","file":"/usr/share/sample/program","alert_id":"2981920149.3542166","md5":"1b8e055c737040b7d4f516fe7d1e39aa"},"malicious":0,"positives":"0","total":"00","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-07T06:06:50.516Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 22 engines detected this file","id":"3093","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"62c4ef9cc1adafd5517d9a7ef4dd227326322c90","file":"/tmp/virus/notavirus","alert_id":"8783230327.6384776","md5":"3e176fac4c39914cab164e9edd434345"},"malicious":0,"positives":"22","total":"022","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T23:54:17.531Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5567","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b94b810b9c64b76e9c8d95461a133ecbaa0f9eb8","file":"/tmp/virus/notavirus","alert_id":"2042021455.8776100","md5":"76723edff14128bc33b2f89e67cd5931"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 33 engines detected this file","id":"3471","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4d7ae61f2fba826142e79693916981df1de9d60b","file":"/etc/sample/script","alert_id":"3486914235.9550651","md5":"423913c2b350207b2496c13a771178a6"},"malicious":0,"positives":"33","total":"033","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-08T06:58:08.818Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 20 engines detected this file","id":"4294","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"903341ef00b455ae637964d86a01881e61d59af5","file":"/tmp/virus/notavirus","alert_id":"7853670253.6407511","md5":"0f017d544e28be819b4466d3c3e8086a"},"malicious":1,"positives":"20","total":"120","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T11:44:10.048Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1720","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"fb7f12311173b1c494697a14f9d767c98f200b85","file":"/tmp/virus/notavirus","alert_id":"6464622578.4538207","md5":"e4cf5e4ac3d6a3bcced473a1f27c071f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /var/opt/amazing-file - 5 engines detected this file","id":"1907","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f325e0b80682826211b31424faeeaa1272a88b23","file":"/var/opt/amazing-file","alert_id":"9520863634.4423684","md5":"f4c2b400c7021be3fcf4c0e80f2c3a3d"},"malicious":0,"positives":"5","total":"05","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T19:55:56.240Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /root/super-script - 23 engines detected this file","id":"3532","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"213e74e6d17747ce586286cb326df7ef3fbc2fb0","file":"/root/super-script","alert_id":"0515735317.5857686","md5":"7e7f728805687a538917ee96f38338a5"},"malicious":1,"positives":"23","total":"123","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T22:53:10.885Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 2 engines detected this file","id":"590","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e1ebcaf0be732b9cd838ef15de252fbe30ad9d88","file":"/etc/data/file","alert_id":"9601928675.6343924","md5":"a7bf8789f7e26135d9809548dd77feff"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T08:59:41.207Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3975","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6c8599f143f404799a16d6f5b19c6548ae6f4e10","file":"/etc/sample/script","alert_id":"9935471855.0608651","md5":"038ae93bff7aa6bce97b7481e3bbc4ba"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5486","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"47bebdf73a81a32dd11b98569d9e7a104a04f42a","file":"/root/super-script","alert_id":"7553578234.8087913","md5":"b82d16e907b26db6a803da7092463195"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 38 engines detected this file","id":"748","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b7cfd2e1fd614e890ef0f99b96d7d93109eb7bfe","file":"/root/super-script","alert_id":"6293484503.3137103","md5":"8b46dd3c02152be4cfa80546f9ebfd6d"},"malicious":1,"positives":"38","total":"138","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T01:35:22.368Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 3 engines detected this file","id":"1774","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"05976b95a074cc750896f79f5a5eb1d6aeb7766b","file":"/usr/share/sample/program","alert_id":"7674918093.6071054","md5":"8a70c997b38a6a6b3988c9c5b1d8bd4a"},"malicious":0,"positives":"3","total":"03","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-05T12:59:13.997Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 15 engines detected this file","id":"5053","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"83227552f8b2fb77e2237a420920a64a22f8b6e0","file":"/tmp/virus/notavirus","alert_id":"5656466479.9346660","md5":"096783e2474682ad039ba05f10bf750f"},"malicious":0,"positives":"15","total":"015","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T18:54:55.888Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 52 engines detected this file","id":"2074","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bfebd0a08a468d4bb6cd7af97a55af9744c22e5f","file":"/root/super-script","alert_id":"8919151644.4794458","md5":"e6ecc6c6972918a9015d4934637bf896"},"malicious":1,"positives":"52","total":"152","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-05T14:26:34.756Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4503","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b8458bb9163a501b4fa0020a4c74d1942f2b7a9d","file":"/etc/sample/script","alert_id":"4787735026.0217646","md5":"190eacbcbd1ca88d5660a86cc737efbb"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 30 engines detected this file","id":"563","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"81c247d4ba8ead905f4d89f8f061b6b060770a84","file":"/tmp/virus/notavirus","alert_id":"5372006279.1858991","md5":"6f870ec88f149f05670ff1cf28625dd4"},"malicious":0,"positives":"30","total":"030","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T01:37:45.027Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 12 engines detected this file","id":"4325","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"35770cd762e2f8ffd33aa4e4b1e107a8bee9d12f","file":"/root/super-script","alert_id":"6555396745.0795100","md5":"68df23e07dd531bc9b3eb938a759eafd"},"malicious":0,"positives":"12","total":"012","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-08T01:54:30.654Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /usr/share/sample/program - 56 engines detected this file","id":"1845","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bcec7b6bbbc152c73092a3b85f9c89efe3fe1070","file":"/usr/share/sample/program","alert_id":"2427208409.5076871","md5":"329441a604286a9b3e562105a1cf77d3"},"malicious":0,"positives":"56","total":"056","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-01T17:48:52.894Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 31 engines detected this file","id":"4283","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"42ca404ab3e4a218ee4b79a694fca0afccfd9a40","file":"/root/super-script","alert_id":"9085560757.6221589","md5":"c1394b64b581b1c79fd3d12b1e891893"},"malicious":1,"positives":"31","total":"131","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T20:57:17.521Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"346","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"57a1c864aa04736d0abf7e68019d7e3a6332f03b","file":"/etc/data/file","alert_id":"7114524001.8555128","md5":"7d2070c35b5b20246e9c622ce216cbd8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 34 engines detected this file","id":"2555","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b4bfe64f9c9a19ffa0503552659217fe8e29f27f","file":"/tmp/virus/notavirus","alert_id":"0519314641.4988213","md5":"af7ca4c43ed012f9bd97a7f679abe175"},"malicious":1,"positives":"34","total":"134","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T18:23:44.535Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1336","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"407cf13f9cf37001c90773fc00a1cbe298d89865","file":"/usr/share/sample/program","alert_id":"7642609294.2798942","md5":"9eb3513ef7c003366a2157db9791ced7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 54 engines detected this file","id":"3775","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ae2eaa202e613c9acc6e975bc8dc6a8d434a163a","file":"/etc/sample/script","alert_id":"7010382749.6364192","md5":"dfa4d7c40b8f29d2c71523ee378c8324"},"malicious":1,"positives":"54","total":"154","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-01T15:52:15.684Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /var/opt/amazing-file - 64 engines detected this file","id":"4461","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4d18c7e85935533a648f21b8eee9bee1bef6fdf5","file":"/var/opt/amazing-file","alert_id":"8693608022.7878910","md5":"842ff27a130212af9bec3a2d96e2b15d"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T15:48:22.798Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 0 engines detected this file","id":"3682","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1f5d33661235f0982051c50474c9308d3f6db452","file":"/tmp/virus/notavirus","alert_id":"2626636058.3973563","md5":"f24a5e9325e9873d7dfebf89b171fa5b"},"malicious":1,"positives":"0","total":"10","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-07T21:38:09.380Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 56 engines detected this file","id":"1139","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9a1f4bb16ab6062ce444ab92b311ff18b2c27e86","file":"/root/super-script","alert_id":"1825366096.0762059","md5":"9505d43504711db65215358304c5c138"},"malicious":0,"positives":"56","total":"056","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T04:52:47.879Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 28 engines detected this file","id":"3939","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e69f366c0cb0cf2468a362b7a9bd56c03273869f","file":"/etc/sample/script","alert_id":"2803023204.9337185","md5":"e3e4af313c5ee9e056d05791e6110fc7"},"malicious":0,"positives":"28","total":"028","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T16:30:22.673Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 63 engines detected this file","id":"5601","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f74dfc5089fcfb8b777e201d66ebb2dc598eca94","file":"/var/opt/amazing-file","alert_id":"2196463364.6791187","md5":"8e99b98055677adc4f54601a75c05dca"},"malicious":1,"positives":"63","total":"163","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T01:12:25.383Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"926","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0428471cae1b60c8dae31f8f8fd8e83536b205be","file":"/var/opt/amazing-file","alert_id":"6343834688.6537425","md5":"661affca6a58bf1d80a41ccad55ac200"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /usr/share/sample/program - 26 engines detected this file","id":"4727","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"498285cd147336cf184e6fa69ce72def38654319","file":"/usr/share/sample/program","alert_id":"5732464681.2176484","md5":"a1351fdafe17e90aee4374d20325de38"},"malicious":0,"positives":"26","total":"026","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T05:56:08.205Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 26 engines detected this file","id":"2862","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2e7ea411010a09f132ac0ad40f264ac4b790cf40","file":"/usr/share/sample/program","alert_id":"8114467145.8579561","md5":"b5290a30842cf00816ad184c23329887"},"malicious":1,"positives":"26","total":"126","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T13:01:35.666Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"16","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"21de020abf73559832512d9ab224f8daae54f898","file":"/var/opt/amazing-file","alert_id":"0814517328.1260369","md5":"803fef14ad2026c136d89d6d8a078744"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /root/super-script - 42 engines detected this file","id":"1087","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"308cf8e3482c1ff28becdd2c51ac650152e2758a","file":"/root/super-script","alert_id":"7614367834.6375178","md5":"39dd1607276a8abd0abdf228c5c43c50"},"malicious":0,"positives":"42","total":"042","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T04:04:58.209Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2670","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b640cf4e43bb4a4893134d701ae3a13df20e3375","file":"/etc/data/file","alert_id":"3115018174.1794042","md5":"f352b46533d2e882e1fdd485d32ffbed"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 41 engines detected this file","id":"2629","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"919b1ce4f9541918f59a66892f5314285ae42b74","file":"/var/opt/amazing-file","alert_id":"2971954129.2806434","md5":"4af77558ef3a468b3957a47b0d95882b"},"malicious":0,"positives":"41","total":"041","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T06:35:24.195Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /usr/share/sample/program - 33 engines detected this file","id":"5342","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f12a861cdfd13fb9676ebb62bc4c7a42ce79c1c4","file":"/usr/share/sample/program","alert_id":"4759246605.2832003","md5":"f70234610aa2226bf1fc37c316d17c5a"},"malicious":1,"positives":"33","total":"133","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T07:39:58.815Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /usr/share/sample/program - 24 engines detected this file","id":"2401","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b420e61ae3fffda86de1a1478d5cfee26e3b8ec3","file":"/usr/share/sample/program","alert_id":"9236042314.2056953","md5":"3453ec4a767452fefe68f09b0a7c0af6"},"malicious":0,"positives":"24","total":"024","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T21:13:51.038Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 2 engines detected this file","id":"2635","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8222ca4441100381270e322732fc8cc43c828063","file":"/etc/sample/script","alert_id":"9800174945.7792966","md5":"615f344b4d84f1eb0c820117c4351ba6"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T05:43:00.317Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"688","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"864f2b4599ce572d05a289ff3896d2625aee0411","file":"/tmp/virus/notavirus","alert_id":"5087595212.6706620","md5":"6a9b33b9c18b76510aa936042124a961"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 60 engines detected this file","id":"4113","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9d5dc0d78dd16dce669e9a9117484bf753ebf3aa","file":"/root/super-script","alert_id":"5833627237.4693511","md5":"4b6e4e71d6004e478ae511dc781f36f1"},"malicious":1,"positives":"60","total":"160","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T07:39:05.826Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 51 engines detected this file","id":"421","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f96fd7b1349fdd0e57eb2015f79b77b70dba0d15","file":"/etc/data/file","alert_id":"4313986054.3768211","md5":"44324215f5f71379d3f8723561ccfaf8"},"malicious":1,"positives":"51","total":"151","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T22:16:43.062Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /var/opt/amazing-file - 0 engines detected this file","id":"3578","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f7d67e0266836aa9a7119ac792ad5b331596600d","file":"/var/opt/amazing-file","alert_id":"5695335299.9857474","md5":"44ae8ffa7ae91d281a953179174a5950"},"malicious":1,"positives":"0","total":"10","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T23:02:58.481Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 11 engines detected this file","id":"3170","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"06c3d97ee9f401dba32e5badf5b4dacee3bf051c","file":"/root/super-script","alert_id":"7126599504.0779629","md5":"b052c53a9a65f816ff81b685d4f75f28"},"malicious":1,"positives":"11","total":"111","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T01:20:26.631Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 0 engines detected this file","id":"3483","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"17adccb8000cdba08714a277bcb53fc930c80152","file":"/etc/sample/script","alert_id":"9117705493.5308413","md5":"51999ba205b8a531f4858b63e1238bd3"},"malicious":1,"positives":"0","total":"10","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T16:38:20.521Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 10 engines detected this file","id":"4964","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"35c272485c2345e9642880bd47adfb6c3beff584","file":"/etc/data/file","alert_id":"6906671057.3548486","md5":"c3e04ceaf1a503fc30dc2f0b5a1cc7db"},"malicious":0,"positives":"10","total":"010","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T12:25:21.457Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 44 engines detected this file","id":"2173","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"36901bb14c4941daccf3a487af534361d93b1de1","file":"/tmp/virus/notavirus","alert_id":"9743548282.3147400","md5":"6a39d1938a66a7728f310b1102e220e4"},"malicious":0,"positives":"44","total":"044","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T10:34:26.873Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 64 engines detected this file","id":"4762","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2dd9f556e07fb59abfaf4c7ec977b23a58855a0e","file":"/etc/data/file","alert_id":"2750936081.4032655","md5":"754e3ff1a4caed0e685ade5f10351128"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-01T18:01:18.728Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 36 engines detected this file","id":"3386","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"708d925e8167a9bcf9cc2feb4be388d909833313","file":"/root/super-script","alert_id":"3004754479.7148330","md5":"19a1b84b5c08d15baeea1dacbddd2efe"},"malicious":0,"positives":"36","total":"036","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T10:56:25.967Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 34 engines detected this file","id":"350","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ce389ed2352689a37e4518a38f58072a6234e829","file":"/tmp/virus/notavirus","alert_id":"5690558243.4246837","md5":"9e3b13bca0a7dd37c6a81ab4b13912c2"},"malicious":1,"positives":"34","total":"134","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T23:41:14.440Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 1 engines detected this file","id":"4998","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4ce83dc9807135c5c24aeee682bda5685165f981","file":"/etc/data/file","alert_id":"1038326204.5294090","md5":"db76dd230914ace56b59672b164c1514"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-03T15:59:31.405Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /root/super-script - 28 engines detected this file","id":"498","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"429128cdb4102a08da8a4842492f217c7afdadbe","file":"/root/super-script","alert_id":"5195943576.9885626","md5":"6e41d9f5b93572b3f078bb3e9ce4bd7b"},"malicious":1,"positives":"28","total":"128","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T16:11:17.219Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /root/super-script - 46 engines detected this file","id":"996","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6548bf48e87e54f0ba53ad1aa880356609caf597","file":"/root/super-script","alert_id":"0165545398.6882386","md5":"b3318aedb32d1b6fdf166ef05805e927"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-02T16:28:54.785Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 50 engines detected this file","id":"323","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"36c8463d8bf2d99675e9969841cde5051ea8c7ad","file":"/etc/sample/script","alert_id":"3618698156.0478730","md5":"22f3c24c20e96accfdb521e484140f53"},"malicious":0,"positives":"50","total":"050","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T17:23:57.487Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 34 engines detected this file","id":"795","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ea370b1ccef540d483862cf03148250cc6bc2508","file":"/root/super-script","alert_id":"1074613912.4860161","md5":"98192701af176add6c5cadf04546b046"},"malicious":0,"positives":"34","total":"034","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-02T00:51:24.693Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 61 engines detected this file","id":"1273","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"aa68c21d028b6568a154bee6447f9b7320199c0d","file":"/var/opt/amazing-file","alert_id":"7278218846.1569308","md5":"40d371f366c5b9d08da5b05ca00c188b"},"malicious":0,"positives":"61","total":"061","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T09:14:24.634Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2261","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"31fb50038c8f03256443e4038a051d88bd2ff90f","file":"/etc/data/file","alert_id":"8722612853.8572281","md5":"ea37ec565e35c13895f7bd8d095e1728"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /root/super-script - 4 engines detected this file","id":"2692","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f0fc15658f1ef4a78118541a7505d7b42481f252","file":"/root/super-script","alert_id":"4361103798.9086074","md5":"e455022280cb2f2527274dc4b37e26d0"},"malicious":0,"positives":"4","total":"04","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T00:42:29.434Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/sample/script - 60 engines detected this file","id":"5711","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"42ea924c09d03f70b2d5e45158242ce2ec5eb748","file":"/etc/sample/script","alert_id":"7554862077.5017404","md5":"6ec0b2924f2bc7865875689c05b9e934"},"malicious":0,"positives":"60","total":"060","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T01:06:56.720Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 46 engines detected this file","id":"4527","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ec9e33070ffdbb51c380e9017896db2cf82049e6","file":"/usr/share/sample/program","alert_id":"3604265760.9260884","md5":"1a3f6ba2deacfda43f7c97da13152caa"},"malicious":1,"positives":"46","total":"146","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T12:31:11.313Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/sample/script - 65 engines detected this file","id":"4710","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9dd7d09d4656b82ebc609d7eb8eeebd1a1337469","file":"/etc/sample/script","alert_id":"1242227717.8342842","md5":"677247772e260666d55f680be6d7a663"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T18:07:48.519Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/data/file - 24 engines detected this file","id":"873","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"32a1694f58c66b6dd143c4224e6c24c300e0d8bf","file":"/etc/data/file","alert_id":"2376169544.1825683","md5":"3629a4b153ce0c6ddb17d70a37a5cd17"},"malicious":1,"positives":"24","total":"124","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T02:10:52.034Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /root/super-script - 8 engines detected this file","id":"3487","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e2dd410ac1ddfb48fdf0df77d6c1041afb1fc78f","file":"/root/super-script","alert_id":"2028952410.4272566","md5":"359524e60bac51c05c9e1ad1c63cf4b4"},"malicious":1,"positives":"8","total":"18","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T05:12:31.644Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3616","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"33fdd832604f3a5576bdf4a06d9ee39b643625e1","file":"/etc/data/file","alert_id":"1784212303.7243031","md5":"10481fd3d746268a6902b7d207cfaa78"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 5 engines detected this file","id":"1169","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dbca1c61dcfeadf0f4b6c6aaee94310828e7898f","file":"/etc/sample/script","alert_id":"8506088313.6578788","md5":"bf57ad656f40e7c0397c39dcb03b9e85"},"malicious":0,"positives":"5","total":"05","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T10:18:56.387Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4530","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"33f8a2043b4430dcfe9881b354077914052a4b39","file":"/tmp/virus/notavirus","alert_id":"7420108293.3053572","md5":"d0e980265a76ad9d23c73696627432ec"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5247","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"76f1cdc3af051fd737d9367ec38f76624f3acc13","file":"/etc/sample/script","alert_id":"3083633824.3145345","md5":"a43bb57e273ede087ddd4b0d2d7a1704"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 25 engines detected this file","id":"255","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"98654f7c6d9f6cd1f1def8f7580a9e2c881515dc","file":"/var/opt/amazing-file","alert_id":"2137993079.6230904","md5":"bd784f5a88efe92ac796b751ef8a81fd"},"malicious":0,"positives":"25","total":"025","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-03T20:58:40.365Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 57 engines detected this file","id":"3858","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"240907aec50cb084581966b80d9dcf4e85707c84","file":"/tmp/virus/notavirus","alert_id":"0560149087.4341881","md5":"20edd827056844276ee08a1739673807"},"malicious":1,"positives":"57","total":"157","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T16:53:21.945Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 55 engines detected this file","id":"2663","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"37af46d49625fe5c84c467ac9c489e93edc7d59f","file":"/etc/data/file","alert_id":"3398197248.9081099","md5":"d0d2ac7161faf6cf040daebbd75d6632"},"malicious":1,"positives":"55","total":"155","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T20:17:33.400Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5473","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d381d7acf0503914b31681ccf21b933f8ac60794","file":"/root/super-script","alert_id":"0192872335.7102159","md5":"be44982fd779699501f79a8add352190"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 6 engines detected this file","id":"4804","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"85ea519181f323e0adeff774f82f5570bd4b2061","file":"/etc/data/file","alert_id":"1271321853.1416813","md5":"fdddf5d4800bf7c8ff6e57b437c10423"},"malicious":0,"positives":"6","total":"06","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T12:25:52.394Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 4 engines detected this file","id":"334","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9253b2880781a5fccb0096f3939f067791e338b4","file":"/tmp/virus/notavirus","alert_id":"7272168080.9522495","md5":"84548bd128ecf5fc27ff6527604a7f1a"},"malicious":0,"positives":"4","total":"04","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T02:20:07.518Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /var/opt/amazing-file - 53 engines detected this file","id":"2984","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c137c4ec2a67ed249d10ac71dcb7529846fef409","file":"/var/opt/amazing-file","alert_id":"8033592321.1942906","md5":"350b8c1f6aa7250621103dd2ad2c810a"},"malicious":1,"positives":"53","total":"153","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T14:27:17.273Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4100","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"9743f7d50029b1d6070c213e3ab5b7b8a52447df","file":"/var/opt/amazing-file","alert_id":"4538918892.2655570","md5":"55189d199b7e00c9efde72fa1ba10081"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2607","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"4961f0512833f07b4baa079a91bc055cfba43821","file":"/etc/sample/script","alert_id":"4995591217.2853001","md5":"b1bb5e07d932e521ad58d34e091d83be"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /usr/share/sample/program - 8 engines detected this file","id":"2777","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5d62aee7a27e3f919e61ae0adecd99a7b1f54508","file":"/usr/share/sample/program","alert_id":"2213766445.2204471","md5":"7cb3d15dc0c36375663d85c0bab9e009"},"malicious":0,"positives":"8","total":"08","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T23:27:21.983Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 3 engines detected this file","id":"3387","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cda57465c125bd9e59db2ad079ad10ea25bb4624","file":"/tmp/virus/notavirus","alert_id":"2571938495.7637857","md5":"229e4b24408c5edb9f3a0cf26d2888bb"},"malicious":0,"positives":"3","total":"03","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T09:28:28.634Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 54 engines detected this file","id":"2443","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f2caf793a15a0aab705dbf6d58b23354111310a5","file":"/etc/data/file","alert_id":"0923829632.6841029","md5":"968e25909368b459c3edee27bab8dea0"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-01T21:58:13.990Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /usr/share/sample/program - 28 engines detected this file","id":"4973","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"511bb26d36a4556e96a05444c628ab8fdfffae3d","file":"/usr/share/sample/program","alert_id":"3466684878.1393783","md5":"a553fd9a4c3d966ae6972fe5fd41e731"},"malicious":1,"positives":"28","total":"128","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T02:53:38.503Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/data/file - 11 engines detected this file","id":"3175","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"47f85770b58b88fd292fa0e5d39e1590ff044d64","file":"/etc/data/file","alert_id":"8062552066.7729021","md5":"ca936ea401c1ec014e5330f07fe27dea"},"malicious":0,"positives":"11","total":"011","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T00:05:18.074Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"326","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7bcedb80714c3fcc8d9f1b47ee83924bb91eb147","file":"/usr/share/sample/program","alert_id":"7710861745.8502913","md5":"a06f700874fbae3edd537b2522083539"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1697","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d321ad9adef590c3d9d17c57208def37c2eae6cf","file":"/etc/data/file","alert_id":"7204929832.1986952","md5":"b54f571d2c83f5290c19986dcf3c64e9"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /var/opt/amazing-file - 17 engines detected this file","id":"5759","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"571b75196ce0fe56244413f486bc25dd5363697d","file":"/var/opt/amazing-file","alert_id":"0653918920.4700652","md5":"e1562f66e1bcebe5fe51ab666cd52b6d"},"malicious":1,"positives":"17","total":"117","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T16:36:04.709Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3926","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"acd19c069be959a213ecfd0f3ea474b52f6b2269","file":"/tmp/virus/notavirus","alert_id":"3475627613.8814209","md5":"eaa8a8e188052d16b303713dfdee0928"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 40 engines detected this file","id":"427","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"fed1cfda0255cfa050fe12808ab57c27ea9020f1","file":"/root/super-script","alert_id":"4805554048.2395583","md5":"aa3e1206244cf9aba6c5a149ac6dd410"},"malicious":1,"positives":"40","total":"140","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T07:52:45.709Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /root/super-script - 12 engines detected this file","id":"4053","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"05b2474859f5147fa0b56705edafda7d2b61243f","file":"/root/super-script","alert_id":"0340338474.8911970","md5":"ba9befa090a8624e5eb7105f1f93ee81"},"malicious":1,"positives":"12","total":"112","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T04:43:32.320Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1023","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"c83fdb3d929bcb342bbac175eee0c9b8870125ef","file":"/etc/sample/script","alert_id":"7072926790.8588292","md5":"3e6d0a2bc4317c969d4a8bbb2c1831b4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"923","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b6a1cad5b4b5a36cce8ab540b49bf0ca6acce96d","file":"/var/opt/amazing-file","alert_id":"5370836522.2146377","md5":"24af4110ab52c807c9c2998dae95a298"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"223","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ffce205359efb3ee60318991bd39bdf9ab9e96f1","file":"/etc/sample/script","alert_id":"5372265419.1358802","md5":"7d8d007ed448efd6614f50c2aa585096"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"132","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"e5eed7315c88c33d024da3a11d4e8b3947e2409c","file":"/tmp/virus/notavirus","alert_id":"0429366109.5841379","md5":"14260b5f40810f36950d776ef6d965ee"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 54 engines detected this file","id":"3428","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6b14de01b60cd911c350ac01b26414dfe5227da1","file":"/usr/share/sample/program","alert_id":"2278076619.6286972","md5":"17a0ea27c4c2beb7fbff936eec060a41"},"malicious":1,"positives":"54","total":"154","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-08T04:46:35.581Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 24 engines detected this file","id":"1833","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"98caae0f20ad5cea97675a30c851bca6d9093b1a","file":"/root/super-script","alert_id":"9564563695.0113725","md5":"5a22474ce43c12876ee721c53a123499"},"malicious":0,"positives":"24","total":"024","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T13:46:44.176Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2387","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"c990e3a2294830cdafa3ef199992f74ada8c6336","file":"/var/opt/amazing-file","alert_id":"4463132423.5786900","md5":"49dfdd28e4daf74b04b13bc20f8429c5"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3604","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"49bee3c34aadfe16cadade0a023236b933148977","file":"/usr/share/sample/program","alert_id":"0818514756.6985983","md5":"1d06def3beb33fb115e0d9d7b80dc207"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 20 engines detected this file","id":"5522","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e15ac78bdaee2003844b74bb5dfe4f155baa3252","file":"/var/opt/amazing-file","alert_id":"8201496121.4366573","md5":"fd1079a8b4e76db0dc3159bed93d61f2"},"malicious":1,"positives":"20","total":"120","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T16:34:30.988Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 11 engines detected this file","id":"2584","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c937a670cf60f781d88e94944cf6cdbad5bc1a98","file":"/etc/sample/script","alert_id":"9561194841.0252467","md5":"03f14895c775786a40a0bd05f261ce20"},"malicious":0,"positives":"11","total":"011","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-02T18:26:31.522Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /usr/share/sample/program - 2 engines detected this file","id":"2990","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"01b0a138349044c62724c568602d7a8b9772a79b","file":"/usr/share/sample/program","alert_id":"8311031976.4457260","md5":"b9124e34f795376bac001dbe13ad94f4"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T23:44:48.409Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /usr/share/sample/program - 22 engines detected this file","id":"4282","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0f739be42313209b2276d541c55b18f6f088268e","file":"/usr/share/sample/program","alert_id":"2759645014.2634408","md5":"845dd5c30afe63759ca7332410f17b1d"},"malicious":1,"positives":"22","total":"122","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T01:38:46.585Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 60 engines detected this file","id":"1999","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1476441d85291f1492c0c6c03adeebbaca41ab7b","file":"/etc/data/file","alert_id":"6333163074.2812179","md5":"f9c6d0a069a1fa131e85a52de1ab6093"},"malicious":1,"positives":"60","total":"160","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T23:51:10.726Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 36 engines detected this file","id":"699","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9df1c8f9ec490b41ac09f4408686ef2abeba7f36","file":"/root/super-script","alert_id":"8085663268.3783892","md5":"d50391b228f91b965af3675ed0b694f6"},"malicious":1,"positives":"36","total":"136","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T10:45:06.376Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 51 engines detected this file","id":"457","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ef82f7b1911313ce2fba124562ba14b877f3c979","file":"/etc/data/file","alert_id":"2764632623.7811752","md5":"4d146632ffc7e11532318f59e3a289cf"},"malicious":1,"positives":"51","total":"151","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T08:20:21.537Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"846","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"e49041524dedbbe97578663b73dd274f032fbd4b","file":"/root/super-script","alert_id":"1215883409.6192970","md5":"68d3f16b0068464d1aa7df0a5bf2ddda"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 57 engines detected this file","id":"5314","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"791f3e732c7e3b206347c47f9a5ff5082949485e","file":"/usr/share/sample/program","alert_id":"8545003823.6048328","md5":"d79e4f7ab6979fb78159431b79522350"},"malicious":0,"positives":"57","total":"057","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T01:52:47.540Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 51 engines detected this file","id":"2613","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d8c58e1820e98967399f50339ebb44b3856d945e","file":"/root/super-script","alert_id":"9373417442.4852999","md5":"656a3d652624e47c95a3a3aa417d22c7"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T08:19:19.052Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 13 engines detected this file","id":"2022","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c1e04789c5afb76d6a7b3c38accd6c9b86e615a7","file":"/root/super-script","alert_id":"5634477373.8185197","md5":"deba773b0e55059fe267fb4c5d3ff9a2"},"malicious":0,"positives":"13","total":"013","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-08T10:05:43.108Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 56 engines detected this file","id":"2238","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"230b627a99d10d0cce33729fc32f632670ff0ad2","file":"/etc/sample/script","alert_id":"9326909998.5054461","md5":"033d96370b08c5bdc6f317a09de98ecb"},"malicious":1,"positives":"56","total":"156","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T05:51:32.065Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/sample/script - 4 engines detected this file","id":"3591","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1e16530ba3d138cd5dd572d440489707891a59a6","file":"/etc/sample/script","alert_id":"5973982430.3155655","md5":"23dd767444278c426b83e943ce2ffaed"},"malicious":1,"positives":"4","total":"14","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T13:45:34.770Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 38 engines detected this file","id":"2287","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5323fb734fa2f50ebd565c6ec53adc44ccf5289d","file":"/usr/share/sample/program","alert_id":"6752584808.6541141","md5":"0363386d812b06f0b3dea8609fcee75a"},"malicious":0,"positives":"38","total":"038","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-08T03:57:20.137Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 30 engines detected this file","id":"2091","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5948a7e553f381abe32a771d6c6d9a3a8ecbff3f","file":"/root/super-script","alert_id":"1849890651.9664471","md5":"e5448a6cfc63c0463fae9fefec33d0c3"},"malicious":1,"positives":"30","total":"130","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T06:21:35.096Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/sample/script - 62 engines detected this file","id":"4342","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0c10eb848ad0b431ffc8f7762f4138c80532e983","file":"/etc/sample/script","alert_id":"5625755845.8338216","md5":"c28474c3211e33ebda87f2c8147efd53"},"malicious":1,"positives":"62","total":"162","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T09:01:44.741Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"909","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"935ab9ab609182884e9786b56fcc5e20f1fa47f4","file":"/etc/data/file","alert_id":"3951593076.1423701","md5":"61957da688da35f12bd85d693f5ef558"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 59 engines detected this file","id":"498","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"82faaa73684eb0e120b249371e02c3edef8705a0","file":"/root/super-script","alert_id":"0984676147.1308605","md5":"0469821401986e5a26af308f853dee08"},"malicious":1,"positives":"59","total":"159","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T18:00:40.286Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 18 engines detected this file","id":"2205","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b758401761c163a024c3ffde6c5c22689b3dd6f3","file":"/etc/sample/script","alert_id":"4357318853.9005981","md5":"14c25c9e42be39f23b0006e06fe3f617"},"malicious":1,"positives":"18","total":"118","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T18:03:26.532Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 2 engines detected this file","id":"3108","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8f494822c1b997ec8539284788a859a7ad19fd7d","file":"/etc/data/file","alert_id":"3217942206.6885673","md5":"341dbd8b9ca976bec1288013e5871a59"},"malicious":0,"positives":"2","total":"02","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T22:48:32.267Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 44 engines detected this file","id":"5418","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c99629616ef43df18a8f4d37e34018e422905816","file":"/tmp/virus/notavirus","alert_id":"4300050607.5515274","md5":"7b3167b214a890ddaf38bca6230f46e3"},"malicious":1,"positives":"44","total":"144","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T01:28:40.162Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2122","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d69d6a1d46c06c3703699aa5a8b28c5381393a30","file":"/usr/share/sample/program","alert_id":"5078429222.7553625","md5":"b661dd7873058f3f5e2c25c0776d6327"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"782","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"c94aa74ff301903875e14728d323e473ee2ee825","file":"/root/super-script","alert_id":"3435365793.3957279","md5":"59ec8f258525509f9fc0c5455b79d475"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4374","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"5c722a3c3a643715ca9cc37f1dc81bf73911fc2a","file":"/etc/data/file","alert_id":"0557232347.5203162","md5":"3ef80a91981deee444fcf575ea566b66"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 1 engines detected this file","id":"4748","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5ab6d65326f8772268cb4a2ce34bd45d9fde2a5f","file":"/root/super-script","alert_id":"0372897271.6797742","md5":"594c4b4184f4c7bffe3cd779d0c15971"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T07:19:38.025Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/sample/script - 54 engines detected this file","id":"2543","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7a9521d81e378f54bb1d9bca422890e5eb1a2a1c","file":"/etc/sample/script","alert_id":"1937839451.0842898","md5":"83dea707904c422ffb8e63181eceefdf"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-05T23:52:01.633Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 1 engines detected this file","id":"3573","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4a885fb640a1d3b64f5301894f7361da136c674c","file":"/var/opt/amazing-file","alert_id":"2545289149.3542363","md5":"cc1c0b0f868b435339a29ca72834b636"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T12:52:55.519Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /var/opt/amazing-file - 34 engines detected this file","id":"36","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bd75d094e3071e05ff7281035cdc57f6821936b9","file":"/var/opt/amazing-file","alert_id":"9477161318.5087035","md5":"365dd3aace3cdc822368a4a1c6bcda4f"},"malicious":0,"positives":"34","total":"034","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T11:46:02.519Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5887","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"bc46393c9e47f520c3125856614b73c40699a57e","file":"/tmp/virus/notavirus","alert_id":"6676791390.8241055","md5":"0490dc1d1006896e9255b774ce140b41"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4572","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"fb1c96bdbd137f0a84d650a305d889e5deec99be","file":"/tmp/virus/notavirus","alert_id":"4637942256.0289897","md5":"a7efe9d16248fa1aba4a848d0b5211ef"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /var/opt/amazing-file - 46 engines detected this file","id":"3815","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2586bf322a6ac862fefa7c14e16add358414c739","file":"/var/opt/amazing-file","alert_id":"6648523753.5288940","md5":"f08f427bc47d7ef8e1294ee2d49953e3"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T15:18:41.012Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4247","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b70885899e5bfba11eb86b2898be948825801410","file":"/root/super-script","alert_id":"0553762871.8995037","md5":"a0d39e86b5918384bcf54b6584672599"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 14 engines detected this file","id":"1684","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"44ae22be4a1c48696010d1f2bceb7e7505385aa1","file":"/root/super-script","alert_id":"0571732566.4232896","md5":"39cdc795ea55d02c967a4f89474fd332"},"malicious":1,"positives":"14","total":"114","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T20:31:35.829Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5403","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ce6a4fe4cff9c5818fe71c28de5df02d7c4bf0f1","file":"/tmp/virus/notavirus","alert_id":"9495736563.9702637","md5":"42f2b0d1564d311c2ba2cdb364a4285f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 27 engines detected this file","id":"3511","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"40400dd5b2a93bc62abfa47351e93419eba2fb2b","file":"/etc/data/file","alert_id":"9870340177.1137470","md5":"ce3317c24fff8249cbbc69f80a00d295"},"malicious":1,"positives":"27","total":"127","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T12:55:40.089Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 32 engines detected this file","id":"4483","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4397a2712b56a48cff45f1dcb82ebc23937d9c7e","file":"/etc/data/file","alert_id":"0797096188.9475071","md5":"84467fff7ba002aaca60e553dada7437"},"malicious":1,"positives":"32","total":"132","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T15:58:01.953Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /usr/share/sample/program - 56 engines detected this file","id":"2093","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1dcc00d285b2943475880d61485404a0bc85b98e","file":"/usr/share/sample/program","alert_id":"8851140855.2870451","md5":"cf5a7acefc5b43e8fbe7d0a36f13e86b"},"malicious":0,"positives":"56","total":"056","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T10:51:53.683Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 34 engines detected this file","id":"2792","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c2edf687e016abc40d2a9a3bbe5a07e8f9dea746","file":"/tmp/virus/notavirus","alert_id":"8949035757.8863153","md5":"077ac21fca58d163f871b7703ef5af76"},"malicious":0,"positives":"34","total":"034","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T22:05:27.183Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 30 engines detected this file","id":"2804","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"23fb644cabeeec8a3dd8e7d70db50781619f39d8","file":"/tmp/virus/notavirus","alert_id":"6316606142.1160086","md5":"32d7b879c7de4b380aea125c9868472e"},"malicious":0,"positives":"30","total":"030","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T15:36:11.047Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 39 engines detected this file","id":"5702","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"171dccd3a048a8c5a21218dc411bd33569238438","file":"/etc/sample/script","alert_id":"5552327332.0791544","md5":"72c0569fb04ed87da81e19c409c4cfbc"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T19:11:47.774Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 62 engines detected this file","id":"2553","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d1f0cfa26a0b02d9f1a5bcc8def1e54c61dbcf26","file":"/etc/data/file","alert_id":"0093378785.5328161","md5":"67e1d67c604c3385d087a1260fccc70f"},"malicious":0,"positives":"62","total":"062","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-01T14:24:00.141Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4056","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8aa0c580ddbbd8584609ca0faefe94eafee892db","file":"/var/opt/amazing-file","alert_id":"7127645433.5142485","md5":"4f60b32e327186a9dd3ac8c11442b264"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /usr/share/sample/program - 19 engines detected this file","id":"2062","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"68bdbc7b59872ac1c683f4220325ae1c8f1c8cfb","file":"/usr/share/sample/program","alert_id":"8842814000.7257563","md5":"b455d1424e5593e68121f91f55840626"},"malicious":0,"positives":"19","total":"019","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T19:42:20.733Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 35 engines detected this file","id":"5150","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f2f383ff78d7b88d97dd89a5950b3303ff699e69","file":"/etc/sample/script","alert_id":"5360099908.6198319","md5":"83052b396c306f245cf1ee17045ea758"},"malicious":0,"positives":"35","total":"035","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T05:05:19.463Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 34 engines detected this file","id":"5232","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"31d7513b915c8a318df8c2f12c0fbce1c542e3b5","file":"/etc/sample/script","alert_id":"4931268958.5291176","md5":"3772a3fc6a255a90a979aa31d8df28cc"},"malicious":1,"positives":"34","total":"134","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-05T21:02:05.042Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5430","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"58503ff4a88ee485b1cd0dd2f88df6af1eb23c58","file":"/tmp/virus/notavirus","alert_id":"4035362958.8189783","md5":"7a6e1c4e8a5885ecd0f0c356b499964a"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/sample/script - 35 engines detected this file","id":"3147","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1bbbad1788613dd4ce2c1c44e8d822db7824f4d5","file":"/etc/sample/script","alert_id":"5898066777.6288488","md5":"b61c2a37d4e57bcd8e2d77741348cdab"},"malicious":1,"positives":"35","total":"135","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T02:42:49.098Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 48 engines detected this file","id":"1776","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5c8759976fa0fa959e3ac2b099beb46de6319ce8","file":"/root/super-script","alert_id":"6555105067.1616698","md5":"88bb17d3de709fd7c49401a1681efbe0"},"malicious":0,"positives":"48","total":"048","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-03T06:52:05.451Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 13 engines detected this file","id":"833","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a9e2159049b3547d04d85a3b1c69b07fe4087efa","file":"/usr/share/sample/program","alert_id":"9840340721.6283159","md5":"992e6abcca6501936d78cae33f100b9d"},"malicious":0,"positives":"13","total":"013","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T22:30:28.194Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 28 engines detected this file","id":"3369","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f4c6440f0602a2ec0624b7569d4e04dcde6522cf","file":"/root/super-script","alert_id":"1413107538.5029481","md5":"ccc5f2470163f3639ad9bcf47641968a"},"malicious":1,"positives":"28","total":"128","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T07:42:46.788Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 11 engines detected this file","id":"5618","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"36cad5c28a8fdc3b7aa78723fb9afa122005ce35","file":"/etc/sample/script","alert_id":"6199878233.8869806","md5":"89b291e9f0f57d5f3d7b160385163377"},"malicious":0,"positives":"11","total":"011","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T13:35:13.302Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 42 engines detected this file","id":"2831","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b1c9ada070f1f168bff8344d491f7ba6cdffb5a2","file":"/tmp/virus/notavirus","alert_id":"3481658187.6657276","md5":"be4ebdaf8e8e57cf587b528865230e87"},"malicious":0,"positives":"42","total":"042","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-02T14:07:46.264Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 29 engines detected this file","id":"1095","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"444a8bc0eed0ebaba26ccc981b64757a6224140b","file":"/etc/sample/script","alert_id":"9835975881.2429837","md5":"c43eba55ff611a99165ae091af8f0831"},"malicious":1,"positives":"29","total":"129","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-02T17:16:57.844Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4336","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"9d08dba32a20b948c359cb0fffbc21a1dc87f969","file":"/usr/share/sample/program","alert_id":"7409288755.5382151","md5":"ab1d78f11fd4e7ae2a4a3670f7d6614e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1878","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"e0ac6c271f730453240a22fcd9d72ea7fb93ddd6","file":"/etc/sample/script","alert_id":"2276959393.3973179","md5":"a75d0af95ddfca357657fa3c804aeced"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 14 engines detected this file","id":"3158","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"324e3bf3fb6e16e814b95a83cf320f1ca84a904c","file":"/tmp/virus/notavirus","alert_id":"0412490466.6925036","md5":"9be3d66aa1512909ae7c2e61f2b4b9fd"},"malicious":1,"positives":"14","total":"114","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T06:24:25.955Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 49 engines detected this file","id":"3211","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"43c073655ed1d6f3411c8c1b5e66a1a4903362d9","file":"/root/super-script","alert_id":"7567342009.7998624","md5":"13014054f52aed231aafdf99e3b93331"},"malicious":1,"positives":"49","total":"149","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T03:48:27.281Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /root/super-script - 37 engines detected this file","id":"877","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3b0025e4df81a4e7b42ee729e81cf6f4d0460806","file":"/root/super-script","alert_id":"3986359950.7436876","md5":"7f8c9ab75b04e7a27b9f5b6426b00ae3"},"malicious":0,"positives":"37","total":"037","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-01T20:18:06.507Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /usr/share/sample/program - 32 engines detected this file","id":"2858","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b06ad6e28eea6fd0e7bc98705f1badd67eb6033e","file":"/usr/share/sample/program","alert_id":"1396867432.8174912","md5":"34b5d8d9ee48c7d6d0e862a508466654"},"malicious":0,"positives":"32","total":"032","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-08T11:47:02.459Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 22 engines detected this file","id":"5728","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7428a864adbf0acac5475f80e7ef333b9561c1a0","file":"/etc/data/file","alert_id":"8361794083.7484211","md5":"88deaf46f1b39609720649942c08dd81"},"malicious":1,"positives":"22","total":"122","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-02T14:03:59.904Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 57 engines detected this file","id":"769","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"479e46fd184f81da660d4913602ac50faefcb505","file":"/root/super-script","alert_id":"5200332670.5735602","md5":"ce45b71b0b11f0d52a5c28c7bdb16a82"},"malicious":0,"positives":"57","total":"057","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T15:40:13.771Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5750","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"17e8e10c4674b1b79992f762c8b9c966d6f7f847","file":"/var/opt/amazing-file","alert_id":"8189857131.8988687","md5":"41813badaf37b6358202e2895d4d737c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3998","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0f7620ae331059bd97a231afe5de75a3cf694517","file":"/etc/data/file","alert_id":"5912475775.8836081","md5":"36d5887b0410b7acf87d08c3bb84898e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 7 engines detected this file","id":"2690","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c75172c214b9f6fc66e45b11d2cad8d9c441eb07","file":"/etc/data/file","alert_id":"9044928744.1813700","md5":"444188d9bec675ce632a3a168cc21f0a"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-08T02:21:48.442Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 10 engines detected this file","id":"5596","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dce9c3367caeea41666d58978285a7177b22d86a","file":"/tmp/virus/notavirus","alert_id":"2508160637.2243513","md5":"4aef99bb2bbd87944624aefb49084e6b"},"malicious":1,"positives":"10","total":"110","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T23:15:26.474Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1279","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2c185c6069305fbbf049dd499234d10475d49026","file":"/tmp/virus/notavirus","alert_id":"2238143186.6943369","md5":"560d7d2b298ed15ce092aa36ce5670f6"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 57 engines detected this file","id":"398","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c8285802d5d4667f358e454a312d081196797cfb","file":"/tmp/virus/notavirus","alert_id":"0384588089.3838188","md5":"05fc53fba94f98664e05b57a7f36ff85"},"malicious":1,"positives":"57","total":"157","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T02:00:52.845Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5363","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"69bea8759bead915c538cdb1c64d4f78540de072","file":"/etc/sample/script","alert_id":"2242919780.7191288","md5":"b157a30c3072e1257bb776efe568e9f6"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 26 engines detected this file","id":"1850","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5ca86c5ae4d3bc6983ac7651ae0935cb82ec3af3","file":"/etc/sample/script","alert_id":"4001082314.3991225","md5":"40a506d976e9cd2af307a03afcc0df08"},"malicious":0,"positives":"26","total":"026","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T14:51:35.332Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 21 engines detected this file","id":"1436","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d24dc028cb14da8984afe4a2be529b34f21fc5f6","file":"/root/super-script","alert_id":"2267312373.6583937","md5":"e8c6b1220fabe43a6127dd9104801348"},"malicious":0,"positives":"21","total":"021","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T08:13:12.109Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 7 engines detected this file","id":"2794","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"82f548eaa181850dd1bc16060fd3eb6643fd601c","file":"/var/opt/amazing-file","alert_id":"8815390293.3921021","md5":"83f0cdac4035b6a0a5c587cd9f005581"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T11:39:19.970Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 46 engines detected this file","id":"5855","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b2000633c5a83b04ed7e83feaa45742a040caccf","file":"/tmp/virus/notavirus","alert_id":"1505487996.2409304","md5":"ea11c9e56b5ab1608cf822ba9989126a"},"malicious":1,"positives":"46","total":"146","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T07:09:11.319Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 49 engines detected this file","id":"3932","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d0ddf8cd55b879b137eaf0c82e7bd64ef51e854e","file":"/tmp/virus/notavirus","alert_id":"2359034852.9031965","md5":"597672834bbcd05c97550dd9bb216c59"},"malicious":1,"positives":"49","total":"149","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-08T08:51:42.569Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 54 engines detected this file","id":"1039","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e99fb5a23e9a2b07aaa52d0b5aca1343861dfa20","file":"/usr/share/sample/program","alert_id":"9293236569.1763479","md5":"16fac7b08dfce32e5e74f4fb1f86a19a"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T16:38:57.558Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3262","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6bb3a581b1cd390e529ac5e8d1a72192a00b1773","file":"/etc/data/file","alert_id":"9251812842.0554616","md5":"be16d282eac7ef72ba98575b1c1b7ce6"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 43 engines detected this file","id":"1280","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"20c0b93df1f30ecd3c1f1d9e2fdb62114195a629","file":"/var/opt/amazing-file","alert_id":"0407122943.7782292","md5":"4d06b1b836a6b9421bd2190805dc665e"},"malicious":1,"positives":"43","total":"143","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-01T22:29:27.156Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1154","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"e608b0fd96e2f914ce17976c89c40b83fb75aae2","file":"/etc/data/file","alert_id":"1958695465.4898245","md5":"f1e6c5780ebb0821ea794303ea77a903"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /usr/share/sample/program - 18 engines detected this file","id":"3960","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e733c29bbe46f66d3dfcdf415c1e779104167727","file":"/usr/share/sample/program","alert_id":"0178496847.7081362","md5":"dc0b5d86b0357f9141c1c0c35dadeeab"},"malicious":0,"positives":"18","total":"018","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-02T12:12:50.033Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /var/opt/amazing-file - 5 engines detected this file","id":"283","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ef7dc7052bdcd27cf798304292102a769384a499","file":"/var/opt/amazing-file","alert_id":"3503096625.2886579","md5":"cddbc0f4c5c3f6a8fc0af5c0b6a72261"},"malicious":0,"positives":"5","total":"05","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T05:35:01.417Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 5 engines detected this file","id":"1309","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0f7fe7090b04a3fda4c47d59be39680f10b82436","file":"/etc/sample/script","alert_id":"1109225719.9531344","md5":"733abf0c3822828582f2a43bdebe185d"},"malicious":1,"positives":"5","total":"15","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-03T09:13:06.525Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4107","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"11f0f1e45bcec0cc12e63d62c8fde5694efcf166","file":"/usr/share/sample/program","alert_id":"2074023074.8697259","md5":"07d332d67441721fef1ebb97ea6d9906"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 13 engines detected this file","id":"3618","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6959d2db3073074abbabb824def67f862e3c3be3","file":"/root/super-script","alert_id":"2062837198.2338282","md5":"b2195a4f40a661e276df26554746840b"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T08:51:16.305Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /var/opt/amazing-file - 46 engines detected this file","id":"3392","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1d5a9ca679f402f655fcf7712069d754e5b4451e","file":"/var/opt/amazing-file","alert_id":"2423005096.0315531","md5":"9169b6122fcbb711252dd072083649a7"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T19:02:20.929Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5449","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"26872a54e8255501805e5bac4f7bef52912b11e2","file":"/var/opt/amazing-file","alert_id":"4974655950.4505711","md5":"b5173fca659aa3806aee123af9ffb965"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/sample/script - 4 engines detected this file","id":"5469","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e014522a72b10337a61417205e9845c47b843388","file":"/etc/sample/script","alert_id":"1543540928.6673273","md5":"56acc52b00f4584f2b773dc3dec40f7e"},"malicious":1,"positives":"4","total":"14","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T07:44:38.573Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 22 engines detected this file","id":"3677","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ae46acac1e544b508c412c4ed31da15683400ac0","file":"/tmp/virus/notavirus","alert_id":"7929199580.5321517","md5":"50fdc3397f8e7bdf0cd3007b52a92474"},"malicious":0,"positives":"22","total":"022","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T15:01:18.224Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/sample/script - 14 engines detected this file","id":"2568","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"228b864de3b5e664dbdc5147b32b1f52a3702fd0","file":"/etc/sample/script","alert_id":"8940436661.8401010","md5":"fdab70f13e3a07cc70e07aee3bbe67af"},"malicious":1,"positives":"14","total":"114","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T02:18:58.873Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 10 engines detected this file","id":"5427","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"823d5eeef507cf61c37210f499172eb06f324900","file":"/root/super-script","alert_id":"8773432678.0149697","md5":"dcffda0637f411c905d34e401b6aa0d3"},"malicious":1,"positives":"10","total":"110","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T15:58:54.364Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/data/file - 7 engines detected this file","id":"769","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"17815980e172ee0b4c4fe206deb29405ffcb1798","file":"/etc/data/file","alert_id":"6291826556.7564151","md5":"1a87ef32b94c6d5c867abc5773f10ece"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T02:17:21.597Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 52 engines detected this file","id":"1755","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7647b85c049e9f2a9fd03e518527f2e19ad378a8","file":"/etc/sample/script","alert_id":"6798857585.1706669","md5":"b52e456fda5b29f817b4b5df6ce12144"},"malicious":0,"positives":"52","total":"052","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T08:52:52.774Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 16 engines detected this file","id":"944","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2de2e9314e4281caac5752ba8e83aabbe0f1b0b6","file":"/tmp/virus/notavirus","alert_id":"0556535569.9651007","md5":"78ac0a924cae2435998ab12facefff91"},"malicious":0,"positives":"16","total":"016","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-01T12:07:56.618Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 46 engines detected this file","id":"3375","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"111d979e768c48f3290e7b94eb8113d812070921","file":"/tmp/virus/notavirus","alert_id":"6867198099.3614402","md5":"c9f77e6ff3a393a6e64e72e26a64120a"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T18:31:08.712Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 20 engines detected this file","id":"904","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"957c96d2f9a0557786359b8bf28347c8bddc1b99","file":"/root/super-script","alert_id":"1987171069.6850851","md5":"26c0873cebda02e309b03f3792a3714e"},"malicious":0,"positives":"20","total":"020","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T16:58:09.421Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /var/opt/amazing-file - 13 engines detected this file","id":"1912","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8770123f1b4ecd2d7a0bfa4be2f80bf1b602f549","file":"/var/opt/amazing-file","alert_id":"3015030800.8813789","md5":"07e11f720e6a613a2b45cfc77833ea23"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T01:37:52.169Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /usr/share/sample/program - 49 engines detected this file","id":"680","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"eed6c7450b9f5a2f03bf961cce6cb46686146771","file":"/usr/share/sample/program","alert_id":"1956410132.3254815","md5":"4b6a9c4fe2dedc89a19234cac0fb6a74"},"malicious":0,"positives":"49","total":"049","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-08T04:16:06.660Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /var/opt/amazing-file - 3 engines detected this file","id":"3969","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8a90de0100109cf6f7869738e2c947bf350ca832","file":"/var/opt/amazing-file","alert_id":"8071709147.4936701","md5":"e0296dd47e390804446ef499ea20c34f"},"malicious":0,"positives":"3","total":"03","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T16:16:44.426Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3006","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"60999cc18125c613147ad7058f0c586ca76ba2ea","file":"/usr/share/sample/program","alert_id":"8001000782.4481968","md5":"4105b1d94e3b876ca4a10b6a0e925486"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/data/file - 32 engines detected this file","id":"3532","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5ba925867084aa3e57a5896cd1a7c7001d267404","file":"/etc/data/file","alert_id":"8796662171.2745250","md5":"9f15fdb44c712bf761fddfcabcf5c278"},"malicious":0,"positives":"32","total":"032","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-01T19:46:03.273Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5520","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"bc86e1fbda899e6503da5d525266d089370cb4c0","file":"/var/opt/amazing-file","alert_id":"5428714871.4943403","md5":"a91ab7b3837e8098c47d2c21a491b60c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 10 engines detected this file","id":"4325","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"eb826143cc4f13acf66dc5dbcb6c4ab4007d2b41","file":"/tmp/virus/notavirus","alert_id":"6212844255.9428713","md5":"3e5746d31306cf08d843884677e4ddcd"},"malicious":1,"positives":"10","total":"110","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T23:16:40.471Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /var/opt/amazing-file - 14 engines detected this file","id":"1505","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d7f129ae4aedb3676370282eb3e58305f9ce476d","file":"/var/opt/amazing-file","alert_id":"1495108828.1107735","md5":"d6d4428273db34594ec361a42e2fd0f2"},"malicious":0,"positives":"14","total":"014","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-06T14:52:42.542Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5408","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"204b961e6329738c795085e9c96f12fd3381d7b1","file":"/root/super-script","alert_id":"7059628650.5326214","md5":"4de23920451c275a0b0685c3416e3f42"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/sample/script - 11 engines detected this file","id":"2242","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6db7d6c80249f5eb771ba91136492459af228f9b","file":"/etc/sample/script","alert_id":"9814581189.5423695","md5":"4c693868d01332fa9170b077669da8c9"},"malicious":1,"positives":"11","total":"111","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T09:01:21.909Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4466","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"058260eefff8b7ad757a1b57b8e711ed7780063a","file":"/usr/share/sample/program","alert_id":"3089207452.0768111","md5":"24db02d7bd65abbc65874ac9c04ba77d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 28 engines detected this file","id":"4331","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3e66fddfc8667e7e188ebc2d8204d1615c6a07d5","file":"/tmp/virus/notavirus","alert_id":"9476163949.7381140","md5":"0cc579e5b0938556b2ab5913d0bbd9ca"},"malicious":0,"positives":"28","total":"028","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-02T15:03:14.948Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2966","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"548407b55ee30c59f5d8cb41bb93bb2df86346a4","file":"/etc/sample/script","alert_id":"4981820373.4300745","md5":"83391d21192fcfdd3b6be4e879ec8413"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 32 engines detected this file","id":"4077","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bc32b7000a895fe10384aaa4250ad956c04008ac","file":"/usr/share/sample/program","alert_id":"6479590370.0374979","md5":"744bbfb9dc722af860af17f011f3a4d6"},"malicious":1,"positives":"32","total":"132","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-08T11:27:45.215Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/data/file - 32 engines detected this file","id":"5207","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"92b2078df47e85e6f921986783f21ae1781d1c04","file":"/etc/data/file","alert_id":"7441279187.6471299","md5":"80b313410df7b2504b35e3818a91459a"},"malicious":0,"positives":"32","total":"032","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T03:41:50.235Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /usr/share/sample/program - 54 engines detected this file","id":"3762","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3f29c7208db947158f52f6e879338c3aa375ad82","file":"/usr/share/sample/program","alert_id":"4785319894.8303476","md5":"40d59e930b4a4ef11b4582632ef01ee8"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T15:39:23.108Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4589","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0e895fb4efe67db56a85a4f302bff500bae3dde1","file":"/root/super-script","alert_id":"2551189342.2025143","md5":"6446253c7f9aca46bbde3b60e773599b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 55 engines detected this file","id":"2601","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9aaf6c9c031a48cd31b2b1b3a92add5f2703f3bd","file":"/etc/sample/script","alert_id":"4734721795.6538980","md5":"c96512c4b0242247bb0aebf88a3d578c"},"malicious":0,"positives":"55","total":"055","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-02T12:14:02.250Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 58 engines detected this file","id":"5424","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"32f2d62641b72d7aa2ef34897aee699d3de57368","file":"/etc/data/file","alert_id":"1950614778.9472116","md5":"9dfbe25721cbececdae6d2b8a7ced654"},"malicious":1,"positives":"58","total":"158","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T06:29:24.724Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1376","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1895b5daff2f2c17e32dd8d7dea42d1e28fea48c","file":"/tmp/virus/notavirus","alert_id":"3432752617.2562684","md5":"a977d16e9c733284976e227c13d704e8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/data/file - 0 engines detected this file","id":"1464","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"488ea9afef945a090e52d50715b9033852f2cb75","file":"/etc/data/file","alert_id":"2752509150.3911747","md5":"73fc86bcb9f0651bb97d79ba4e95c519"},"malicious":0,"positives":"0","total":"00","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-01T18:56:46.293Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 27 engines detected this file","id":"46","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e51729c482a0a5f2dc0a973449d8b17448b4b3e5","file":"/root/super-script","alert_id":"1158917307.9125540","md5":"d2fb6dd7a73b4effe8d3c0b17f75ee5a"},"malicious":1,"positives":"27","total":"127","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T15:22:36.736Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/data/file - 41 engines detected this file","id":"3713","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"481ae81d8343a241997b545a35a5508f7e78fd89","file":"/etc/data/file","alert_id":"2990254866.8790505","md5":"380ab7178a4b9f11093dc32f6b254c25"},"malicious":0,"positives":"41","total":"041","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T20:59:35.122Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/sample/script - 13 engines detected this file","id":"5522","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a832a84d6bc080cbeab584fb033aac4696ec08e1","file":"/etc/sample/script","alert_id":"2414454058.8353760","md5":"773a98b8295dd5d1d9b9e6dbeaad9363"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T11:45:34.472Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2126","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f729e60bf13a6fb403322948d18edd6418cdadb1","file":"/tmp/virus/notavirus","alert_id":"1766314290.8941676","md5":"84102241d3f04169401b77b04513ef04"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5926","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a8b7280138e53d782cfc93be2ff5998d11d42c5b","file":"/etc/sample/script","alert_id":"0767192801.8093083","md5":"751603188d53ad1d8dc1b1bba36bba0d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3202","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"321ccc940528a81927d97f941ea69ebb1843b7d5","file":"/tmp/virus/notavirus","alert_id":"7100041583.1784631","md5":"f1333eb22ec116b1b9c26aeab895df82"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 37 engines detected this file","id":"103","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ceafed5f8dcfba56af984064c3734e0af46b054a","file":"/root/super-script","alert_id":"2812419720.0690080","md5":"d1d554c9c66682f885110384ab6b2807"},"malicious":1,"positives":"37","total":"137","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T08:14:26.920Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 36 engines detected this file","id":"4147","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"34bab4157bcd1aa34bd34f6274211fa7375ec0c6","file":"/etc/data/file","alert_id":"7934125995.3833286","md5":"dfc168c3243d6b8c81acf1ddd6b6535f"},"malicious":1,"positives":"36","total":"136","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-04T19:44:07.698Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2734","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1edaf377494ed77f885d5e0e76f71749606d4d35","file":"/tmp/virus/notavirus","alert_id":"2090264725.2172650","md5":"860c2bb7ddf315c3c45669c373eada91"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 19 engines detected this file","id":"3412","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"65073cd7f5bb29f35b41f0cc74b1c2801c0d793c","file":"/root/super-script","alert_id":"7519802831.2972369","md5":"8a8db3a636c8798092771cabc860d36f"},"malicious":1,"positives":"19","total":"119","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-04T00:22:26.918Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1988","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f31879da9c8231e4febb0b1710c26e8972e5a3cf","file":"/tmp/virus/notavirus","alert_id":"5755679229.3273253","md5":"e64e03bc9ed64a8d2d8112a974eea11d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /var/opt/amazing-file - 30 engines detected this file","id":"5979","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"96fb0d86bc3bb75db9a6bc47c79a8035a4f796f3","file":"/var/opt/amazing-file","alert_id":"2436173672.8989823","md5":"640c84ac5068433b04a0490f30da6491"},"malicious":0,"positives":"30","total":"030","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T03:34:21.081Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /usr/share/sample/program - 42 engines detected this file","id":"1589","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"87d4bdd13961edbb17e3e384f7399b581852b1cd","file":"/usr/share/sample/program","alert_id":"8918367560.6756610","md5":"d6cfa590456ab7b5e33f0dc9b2f11339"},"malicious":1,"positives":"42","total":"142","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T13:46:08.444Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 15 engines detected this file","id":"2140","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"51d569ae080195d31c51e6a425813686715aebc8","file":"/tmp/virus/notavirus","alert_id":"0253481856.7096363","md5":"913b8693bf7644c930df7409127747d6"},"malicious":1,"positives":"15","total":"115","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T13:19:44.364Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1016","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"97ce8340d78e1adcaa2c8ebcf376e4dd78b407ce","file":"/usr/share/sample/program","alert_id":"2807435762.7330517","md5":"70be7a3db8607ee6f7442bfbd03679a6"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 41 engines detected this file","id":"85","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0b775c1b0a1c155e226cdf656aa92572bc73afc0","file":"/root/super-script","alert_id":"6626630850.6945136","md5":"b20797afe6712fe4e313743e8a30c90c"},"malicious":0,"positives":"41","total":"041","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T05:02:12.395Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 55 engines detected this file","id":"2557","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c4bd9871604f80708f57334005e0b3db3492246a","file":"/etc/data/file","alert_id":"1865117076.0018922","md5":"ed39383716b521095b5d22a83074355c"},"malicious":1,"positives":"55","total":"155","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T01:08:41.941Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 8 engines detected this file","id":"1968","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ff633df7ba1529f7fe25aef5a99a953a9291e95d","file":"/etc/data/file","alert_id":"7770131103.3592935","md5":"344d2e096a7c7965f4703cac0570d838"},"malicious":1,"positives":"8","total":"18","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-04T16:59:59.724Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /var/opt/amazing-file - 34 engines detected this file","id":"2324","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4cb37772cb4050f7e83a4707a77a98432754336e","file":"/var/opt/amazing-file","alert_id":"9969077719.0571823","md5":"57cdd27d6290f061ca3db21eadd37ad6"},"malicious":1,"positives":"34","total":"134","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-04T11:09:42.705Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 26 engines detected this file","id":"4066","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3b18c9a200fd533082f449d9c5b69d23feacf120","file":"/etc/sample/script","alert_id":"7314901812.0726157","md5":"265a055e5109152f7777cde82f6562ab"},"malicious":0,"positives":"26","total":"026","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T00:19:35.819Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2226","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d45d5a0f9ea3f054174831e60ce52dac401e0288","file":"/etc/sample/script","alert_id":"8316005542.1198721","md5":"bf881747e027f1f18fa153ab357b518b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 2 engines detected this file","id":"4275","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7cc5695f2b6490533485359eff3c0487b742efa6","file":"/tmp/virus/notavirus","alert_id":"4544254042.5439535","md5":"c367934cdb4d4cc744a7b4bbb4850a55"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T04:03:54.852Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 54 engines detected this file","id":"1555","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"93d4e234a7211958c2ac3dd27e8951aad68fa32b","file":"/usr/share/sample/program","alert_id":"3030682039.2784625","md5":"eb8abc67f4a2bba1020855444c6249de"},"malicious":1,"positives":"54","total":"154","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-02T21:06:49.744Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4311","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8864f640b5f3ede64ad529e83950fb67d61471cd","file":"/usr/share/sample/program","alert_id":"6601319777.5319036","md5":"9321da92aeb4a5ba329c8a9fa0ddd590"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 65 engines detected this file","id":"3083","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"168d186247f92d4dfa2b8dca54b7e6e8cbf46032","file":"/tmp/virus/notavirus","alert_id":"9673199893.5069249","md5":"45a20e424e2e9b02c093d0b1ea56e95d"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T06:07:46.355Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 63 engines detected this file","id":"927","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b5359817ecd525fbfe5b1bf2b65f497a2b2f6b99","file":"/var/opt/amazing-file","alert_id":"0154923393.6899785","md5":"2cde22d3d61ab13bee786b37b21c3e21"},"malicious":0,"positives":"63","total":"063","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-06T12:09:50.359Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /usr/share/sample/program - 56 engines detected this file","id":"5076","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"07aad94e3d64e3197e59407d17770f3593267024","file":"/usr/share/sample/program","alert_id":"6483886009.3698649","md5":"e6a5ff405398f5d59597b6cd718d6758"},"malicious":1,"positives":"56","total":"156","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T12:35:07.688Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /usr/share/sample/program - 1 engines detected this file","id":"74","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"51b9e43f76d18d35bfaa79e0ed9b78415e55f2d5","file":"/usr/share/sample/program","alert_id":"3532618005.6704266","md5":"c3f711c39d66e0b59728ebd63af5e59a"},"malicious":0,"positives":"1","total":"01","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-01T17:21:44.582Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2913","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"992d9fa40b283c02a4df415d1d575883cb810f05","file":"/tmp/virus/notavirus","alert_id":"7584600589.1012659","md5":"d5f54699806c9d5b5e1a7e19fc7a3ce7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5712","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"95963bb03885f199c8429f87bec395784a991bf6","file":"/var/opt/amazing-file","alert_id":"4655550397.3757143","md5":"c328fee11f36f2065a49d964c0ae3540"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 54 engines detected this file","id":"2452","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"14828c1d4452deaaaba3d2c2ba48c64d2f1718eb","file":"/root/super-script","alert_id":"6601165985.9196869","md5":"0a0a19497daf31a87edf5d52a7ab4932"},"malicious":1,"positives":"54","total":"154","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T21:20:42.353Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 25 engines detected this file","id":"1326","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"59d8fc16744f9898083984bf3e65b76ecf691aff","file":"/root/super-script","alert_id":"3488399048.5732662","md5":"a2ffaebb97adeb1df5d59b8b3da64f30"},"malicious":0,"positives":"25","total":"025","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T09:34:07.112Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /var/opt/amazing-file - 35 engines detected this file","id":"244","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9551c607173a8e02daaef2381f17a8213acb5238","file":"/var/opt/amazing-file","alert_id":"5105566917.3798327","md5":"a704baf210c1e64b9d10ae38f63b074e"},"malicious":0,"positives":"35","total":"035","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-01T21:21:33.153Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 54 engines detected this file","id":"4618","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"73d66d641d19f13408f40986e6c99210a1a198bf","file":"/root/super-script","alert_id":"9636075442.4056754","md5":"f6e4cd84995937bbf237c97734ab4bc6"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T19:07:39.020Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /var/opt/amazing-file - 8 engines detected this file","id":"1812","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cd2ab6badfd6dceac03c314d30d7d0068940dc1d","file":"/var/opt/amazing-file","alert_id":"5929061537.3655124","md5":"118aafe34ddd73623904d89fc0538187"},"malicious":0,"positives":"8","total":"08","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-03T06:12:55.201Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 20 engines detected this file","id":"5898","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dab428c71b06a79062a9260b5d5fafb3d6187d76","file":"/etc/data/file","alert_id":"3084248039.3144129","md5":"e4c6e16481c281159b66a03078ac44ed"},"malicious":0,"positives":"20","total":"020","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T18:19:44.691Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4624","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b69f35285998725d5487a86f655f35286838f85e","file":"/usr/share/sample/program","alert_id":"8268364402.4081821","md5":"c5fc5e45ddadc29de5543aa330cbc8e8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 6 engines detected this file","id":"5141","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"79337bb97faeb858cc454f5e39cad5188660b787","file":"/tmp/virus/notavirus","alert_id":"5569911096.6413981","md5":"f4318b466366ce122c390675f9826714"},"malicious":0,"positives":"6","total":"06","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-05T05:13:43.512Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 57 engines detected this file","id":"3764","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"fc98ae3b28cc23c8b28fa106d28f3999d9092329","file":"/root/super-script","alert_id":"7294059763.1259832","md5":"227d8e77927ee6ebd1d051f861c802d7"},"malicious":0,"positives":"57","total":"057","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T21:49:33.092Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 26 engines detected this file","id":"1398","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6e2315ef0386ccf4a1485ccc25d17cc0cc77a27f","file":"/etc/sample/script","alert_id":"3543202712.4088926","md5":"a70ec35ec10ab6d2b0a8d64c223857e2"},"malicious":0,"positives":"26","total":"026","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T20:11:07.083Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 60 engines detected this file","id":"4416","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a499377c8933a94570284b95d165bcac8668b79f","file":"/var/opt/amazing-file","alert_id":"8165750917.7334853","md5":"35b0f53f6763b28211a1f383e873942b"},"malicious":0,"positives":"60","total":"060","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-03T20:39:50.953Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /usr/share/sample/program - 64 engines detected this file","id":"2845","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"320d962bac257f21b547727e4c2ce94fd6f37f54","file":"/usr/share/sample/program","alert_id":"1532545828.4372703","md5":"5a8073a1c12f75fa7f9fe2f6ede4a60d"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T18:59:23.609Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 63 engines detected this file","id":"4962","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"175a8fc3fa0009f0e59dc868e06857e01a94aaec","file":"/etc/data/file","alert_id":"3000291214.5546181","md5":"eb402f183575bacdd45ec32c82dcc4d6"},"malicious":0,"positives":"63","total":"063","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T23:04:12.243Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5774","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ff8cf20f2e43ee0ed399d5c4dbcaf871edb9bec7","file":"/etc/sample/script","alert_id":"4878394898.4530428","md5":"a05b7a363237e06510fd3ce0a1123e96"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /var/opt/amazing-file - 62 engines detected this file","id":"1482","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"301820d8f877dd980bbc3026785c1e70312d2e99","file":"/var/opt/amazing-file","alert_id":"6979267821.3504198","md5":"9dc226e613729d3a45b92dea0c2af5e9"},"malicious":0,"positives":"62","total":"062","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-08T08:30:14.184Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/sample/script - 52 engines detected this file","id":"5456","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4203dd37317136e46d5b93105199e05c6474deb9","file":"/etc/sample/script","alert_id":"5156319260.1459754","md5":"4983d02be4c9b5b61099c47468a4fe6d"},"malicious":0,"positives":"52","total":"052","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T20:14:42.432Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 21 engines detected this file","id":"5579","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"18da3a5d27ac03eee441db45f3d07a8b4423ad3c","file":"/root/super-script","alert_id":"9090743773.1680252","md5":"5e2f70389895ce532024bf32744c95e7"},"malicious":1,"positives":"21","total":"121","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T00:48:52.029Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"984","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"374455da9465f099ec4240464bf41c58ac6a7f33","file":"/usr/share/sample/program","alert_id":"8038729334.2466400","md5":"19d83c8af5c9a93f63d48326edee6a5d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /usr/share/sample/program - 0 engines detected this file","id":"3929","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"190fc71d393b4b09209d6e58ba47767111c4e066","file":"/usr/share/sample/program","alert_id":"6385841579.8179949","md5":"5a116540966650eb87496beeb23982b7"},"malicious":0,"positives":"0","total":"00","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T17:14:28.408Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 35 engines detected this file","id":"5970","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a09a8bd8318b03fb4166e23d410c232f3890661b","file":"/etc/data/file","alert_id":"5475475412.7825399","md5":"179e174e6ec3a8e667c0501d5c57b349"},"malicious":1,"positives":"35","total":"135","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-03T08:49:34.923Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 45 engines detected this file","id":"1663","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9b507d55efbdb7953b09d946e5d00059e99d3c90","file":"/var/opt/amazing-file","alert_id":"6358855338.1583678","md5":"04b044a6f33d8f022c757fcf5c8d2c5e"},"malicious":0,"positives":"45","total":"045","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T06:54:39.559Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 22 engines detected this file","id":"3174","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8bb4608f26e107f7ae46e492739358ca66bdc2ee","file":"/tmp/virus/notavirus","alert_id":"1247907996.0014395","md5":"9a1a928e3b5c6aa20485747629092ca6"},"malicious":0,"positives":"22","total":"022","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-02T23:05:13.558Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2758","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0a49169d1133f2e9050ec8228b1642d685aacfa2","file":"/etc/data/file","alert_id":"3973341585.3959179","md5":"b9ee87d755af762800571993f3a3bb5c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 28 engines detected this file","id":"5411","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b5d959902a8ff0a3195ccb11d34cdd7cb0c4813c","file":"/etc/data/file","alert_id":"1343380776.1649900","md5":"df5a73800b20857a2a88e0b6280d2618"},"malicious":1,"positives":"28","total":"128","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T14:34:26.599Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2917","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"befc9ee19fda89de5115f338a524d6e2013ba480","file":"/root/super-script","alert_id":"5744848687.0713713","md5":"c88cc548bfb19ba9effb912aaefeeab8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3149","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"986e8605e72b82c39eeda1f4e5ba7f0312adc835","file":"/usr/share/sample/program","alert_id":"2543559154.4221185","md5":"ad9fdd4b3bff5f970a4139a249fffdf7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 56 engines detected this file","id":"4190","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4aeac818a61cc3a63072e9a9f44432ebaf0971c0","file":"/root/super-script","alert_id":"2201632213.6990741","md5":"9a98145d805242fea990600aaa8c0683"},"malicious":0,"positives":"56","total":"056","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T16:28:44.627Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1150","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d444fc14584c6d87332587a0a3256027ba7900b5","file":"/usr/share/sample/program","alert_id":"1292959266.2408007","md5":"e8f2a15152b8e7ffe93b6096676b1cbf"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 36 engines detected this file","id":"4552","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6e220f698e9ad811d6731934d4cc23ea21656867","file":"/tmp/virus/notavirus","alert_id":"1871238252.0089171","md5":"ef0822c6447e7d4633759fb6ca44351b"},"malicious":0,"positives":"36","total":"036","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T11:23:48.590Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 50 engines detected this file","id":"3413","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"476760ee2718e4098855e96e20eaaaf9672c6fe2","file":"/tmp/virus/notavirus","alert_id":"4687285022.1960840","md5":"647b87baf9bd960ac63bb87e07604725"},"malicious":0,"positives":"50","total":"050","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T19:01:08.650Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 52 engines detected this file","id":"341","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"267538e69cff975d8851750c10de879b3848af6e","file":"/root/super-script","alert_id":"4042858443.3212798","md5":"74ca008d06c6022a942a2f6279a48332"},"malicious":0,"positives":"52","total":"052","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T07:30:04.750Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 41 engines detected this file","id":"761","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2a4230bc88a3cfb6afe7e8816288e1331605a509","file":"/usr/share/sample/program","alert_id":"4782993990.5680825","md5":"925f090adc30ddc5d6ecc5f740680ab5"},"malicious":1,"positives":"41","total":"141","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T07:17:25.051Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 43 engines detected this file","id":"5260","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5325cf81d723ec6a0f2d1434d82aefa70ae49ac5","file":"/root/super-script","alert_id":"2352398699.8509346","md5":"65a7951b434c12ade960f5c9888c77c1"},"malicious":0,"positives":"43","total":"043","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T21:08:04.918Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 29 engines detected this file","id":"3121","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a6d0e06e8021e32c946e8fa0b8b48678649c655c","file":"/etc/data/file","alert_id":"8518560465.5506540","md5":"13bbc49da48bc3fadf8a950491ec572e"},"malicious":1,"positives":"29","total":"129","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T14:54:08.149Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /usr/share/sample/program - 55 engines detected this file","id":"638","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2c2caab9370cf3441a900a260bed05cb8d75e03e","file":"/usr/share/sample/program","alert_id":"4418506002.5409557","md5":"a6b44a41eedbd43bdc98bb24857899ed"},"malicious":1,"positives":"55","total":"155","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T10:16:24.778Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 54 engines detected this file","id":"5065","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c5ed4ef0425c2f5f8d612ee1c147a431f8c6b6c0","file":"/etc/sample/script","alert_id":"8765144977.5415898","md5":"53b9e0a8868aa4963e701165ecd079a2"},"malicious":1,"positives":"54","total":"154","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T13:06:58.880Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 19 engines detected this file","id":"3567","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ef2d2e4bf54f5c0426ffbc5be19bc07a748b41a4","file":"/etc/sample/script","alert_id":"0580391644.9926891","md5":"46f76da4eb82b1786a5392b4c1502221"},"malicious":1,"positives":"19","total":"119","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-08T01:59:31.144Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1143","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"49e73ea5a1e8ab060e7c40cf86025dcd428aa397","file":"/tmp/virus/notavirus","alert_id":"8813452302.0071064","md5":"8768ac4f53696bd0bcc974df61ec2b5b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 18 engines detected this file","id":"5647","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a056cf18cb121a7d0c829b8f72a5117cfaa82225","file":"/etc/data/file","alert_id":"3168463639.2439310","md5":"4e272931a09efa5b5469c21aad380c93"},"malicious":0,"positives":"18","total":"018","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T07:05:54.817Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 10 engines detected this file","id":"3991","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"39c1238d6cdaf0ad208e5b4a5d73f385fd7ae2d1","file":"/etc/data/file","alert_id":"0048105813.7031793","md5":"78c351856073947a75c29854837c2d00"},"malicious":1,"positives":"10","total":"110","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-08T00:38:27.894Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2438","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"fb719ddbb11452e03bf099dea6b7ad5c1fd0169f","file":"/root/super-script","alert_id":"8317183299.2890996","md5":"7d4068e4c60ad71787fdecb1d49d4e0b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1051","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f32b56204696fc0a9e8e7f48712c795bf59f04fa","file":"/usr/share/sample/program","alert_id":"8656268417.3851845","md5":"77caf9b8cd96617abe3766609cf381c7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2711","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"77ed9781af6459c6b5ff6a2dde9e66807cafe6dc","file":"/root/super-script","alert_id":"0408923360.1924294","md5":"b7cb1e1f686b415e0b6fa1f7b92cbd5d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /usr/share/sample/program - 25 engines detected this file","id":"397","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6bfe602e2dcfb5b0921ac5f16bd39f200a287ae4","file":"/usr/share/sample/program","alert_id":"8435274320.9951081","md5":"4cbbe4a39a8bb4066f84050cba53c709"},"malicious":0,"positives":"25","total":"025","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T16:03:40.937Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/sample/script - 34 engines detected this file","id":"929","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"94895bff6efac8c02237ac093b5cf27b143191ce","file":"/etc/sample/script","alert_id":"8419590800.6596800","md5":"1cc0a14eb996532a423afc1c706794d3"},"malicious":1,"positives":"34","total":"134","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T17:38:28.263Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"579","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"905252d95afdb3109cf4a8c434dfd7bc666f945b","file":"/var/opt/amazing-file","alert_id":"2879135501.0550341","md5":"86e68a30303458a9d31e0c2ab60b42cf"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /usr/share/sample/program - 32 engines detected this file","id":"2468","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bb651b89234d31d817ba94cf7730ca21d4418391","file":"/usr/share/sample/program","alert_id":"4848260191.4777550","md5":"131596dcec26bf0f7187dd2a7cc70e42"},"malicious":1,"positives":"32","total":"132","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T00:08:48.351Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 9 engines detected this file","id":"5975","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7a13382a78a90227b95abaa3e76d48a3ab93da40","file":"/etc/data/file","alert_id":"7644736860.1848639","md5":"54fecf36e7684c7d95cbaa3e9f491134"},"malicious":1,"positives":"9","total":"19","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T17:01:25.720Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5500","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"445f98ec4049f5d090969639962802c470f0aa1f","file":"/root/super-script","alert_id":"4533073776.7821775","md5":"c54d65e0cc931a3a23e19c82b6f8981c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 63 engines detected this file","id":"3644","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8498fee0563149db380889acc14d67150d3dab23","file":"/tmp/virus/notavirus","alert_id":"5532094339.7986476","md5":"fda1c077ee0e2147b7a93deb05684128"},"malicious":1,"positives":"63","total":"163","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T10:20:12.915Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 34 engines detected this file","id":"4786","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"28cb0e70a1ccd1f5df1209e8c1bf8522ca2ee20f","file":"/root/super-script","alert_id":"0272725672.9707689","md5":"22ce1596ecce769068e70661701789ac"},"malicious":1,"positives":"34","total":"134","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T21:27:54.200Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 19 engines detected this file","id":"3683","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f76d69ec663925310c2cf0c5da3e4d3b15cd6359","file":"/root/super-script","alert_id":"3927824485.6719874","md5":"0f435aaba5719bbaa20cae6e523523aa"},"malicious":1,"positives":"19","total":"119","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-08T03:33:03.350Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/sample/script - 23 engines detected this file","id":"5825","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"543f63aeee903c35b2a662e5e23312786a41077c","file":"/etc/sample/script","alert_id":"7513222953.6513665","md5":"259f6402ebdde0405312d6ac97b1cf18"},"malicious":0,"positives":"23","total":"023","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T13:38:53.747Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 7 engines detected this file","id":"2419","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"87b6154fd048466ba2875663efbf77ff4127cd20","file":"/root/super-script","alert_id":"4907654663.9905000","md5":"7572e8648af8c0f5a104cdaa74b23636"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T06:45:26.831Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 36 engines detected this file","id":"5919","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"74f7debc236b7ce83b9fdbb95755a3ea8bedfbc2","file":"/root/super-script","alert_id":"9362415476.2283726","md5":"d100f5d12c3e86099496e9383b6f44ff"},"malicious":0,"positives":"36","total":"036","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-04T19:13:56.211Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /var/opt/amazing-file - 35 engines detected this file","id":"1225","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dbc9573a7e90a1996f0a170c4817eb8c3339e0fb","file":"/var/opt/amazing-file","alert_id":"6857339515.4044241","md5":"20991e766cf996f7a3e69d92511da72f"},"malicious":1,"positives":"35","total":"135","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T04:36:54.692Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2518","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1ca8c340857fe45b85eb395642d067f4cf961002","file":"/etc/data/file","alert_id":"3843457814.0473774","md5":"dc92e3011565c2efc2c02596618ed07d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 20 engines detected this file","id":"2268","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1c9872dad3daf7607477eead2dcfe0100c75326c","file":"/root/super-script","alert_id":"4714759282.3484437","md5":"ff07c3449ebcecb96059cd59acf059f1"},"malicious":1,"positives":"20","total":"120","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T08:36:46.015Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /var/opt/amazing-file - 65 engines detected this file","id":"4861","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a7a8bbe65b9f16a66c92566c242c0e72009f0182","file":"/var/opt/amazing-file","alert_id":"1309854483.7337458","md5":"6b3ef8162186213009581fa33bd01b6e"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T21:48:36.409Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 56 engines detected this file","id":"3372","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e27b7dc3c3ff8273365c238c411da0ed836bd684","file":"/etc/data/file","alert_id":"3873640313.6415621","md5":"380fbeb549e1ebdb2793852b785edcfd"},"malicious":1,"positives":"56","total":"156","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-01T17:31:55.694Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 8 engines detected this file","id":"2218","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c1e05520e3e109dadf41345c05748cc9bfe7592e","file":"/root/super-script","alert_id":"0351177996.7145216","md5":"abdd5daf762266a3a35d23467a2e4098"},"malicious":0,"positives":"8","total":"08","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T05:02:24.247Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 31 engines detected this file","id":"1477","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b55141c8f37683c0769ba368287aab0ea6a788fc","file":"/root/super-script","alert_id":"2060632945.6710132","md5":"5948557ad7e2a4c4e1237fba1b79d52e"},"malicious":0,"positives":"31","total":"031","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T22:26:22.548Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 34 engines detected this file","id":"5431","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7a9a6301a3b82b8827dde707169438239e97ccf1","file":"/root/super-script","alert_id":"2701026439.9705424","md5":"0d342f8b057de407425544f52b51de14"},"malicious":0,"positives":"34","total":"034","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-04T00:15:07.303Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 58 engines detected this file","id":"1181","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1a71cfae7753741c326120e546227e044eb16f85","file":"/etc/data/file","alert_id":"0813396164.1532195","md5":"9c0d88b730dc60db7e649b332cd45878"},"malicious":1,"positives":"58","total":"158","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T02:52:32.017Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"850","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3c64e200d92b9684169ddeae5116f10f6f43d191","file":"/var/opt/amazing-file","alert_id":"8640628185.9354461","md5":"eed331fedb4b6c63dd6c02a791015876"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 49 engines detected this file","id":"3727","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7cbd439db675ebdef74052b92891c96e08d0f532","file":"/etc/sample/script","alert_id":"4582610032.1854281","md5":"400ad22cac02e689b0c9699dca1a9ffb"},"malicious":1,"positives":"49","total":"149","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-02T12:50:02.676Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 2 engines detected this file","id":"2117","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"338da75c046d23e4b16ec853e5df320ed913d090","file":"/root/super-script","alert_id":"9673029344.4143777","md5":"39fbbc6f60952e1ae2c4d8d6a9b59374"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-01T18:43:01.081Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 53 engines detected this file","id":"5870","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2c24570533e7cdc84af54d387db0e23013084022","file":"/tmp/virus/notavirus","alert_id":"1015746981.5568898","md5":"8abc237eb867c63e1ecece1c866b7eaf"},"malicious":1,"positives":"53","total":"153","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-08T09:19:08.553Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2463","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"9d72958c1c7486ec79d44824324ba74f7eae1238","file":"/etc/data/file","alert_id":"0279484009.3154733","md5":"5dd8edf34f9906e2916cc67a634e649d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 34 engines detected this file","id":"3124","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4eab9a88fd8c7b5e8fe3486be5f2e2e9f9c036e5","file":"/var/opt/amazing-file","alert_id":"4317900406.7661883","md5":"ac26744a19ed7686fc8255ad56ec500e"},"malicious":0,"positives":"34","total":"034","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-08T10:19:23.241Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 12 engines detected this file","id":"687","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5d65db33736bef649da62f5279352af538ffbca5","file":"/root/super-script","alert_id":"3690171113.5792656","md5":"0c9cfc2053b044bc974e2cc803193e14"},"malicious":0,"positives":"12","total":"012","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T14:32:08.055Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /var/opt/amazing-file - 9 engines detected this file","id":"3086","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"31eeab86cf9d2b9c139ff2dd2940d9dab9b7049d","file":"/var/opt/amazing-file","alert_id":"0881738168.0373780","md5":"1cbb67d08c64b8932adba7331d891bb4"},"malicious":0,"positives":"9","total":"09","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T06:23:46.457Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 14 engines detected this file","id":"1301","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2bfab88ab14676170fca239eb858f6cf2f0c7227","file":"/etc/data/file","alert_id":"2915110176.1252143","md5":"b8f82bac75a6f8e2734d275147ea82fc"},"malicious":0,"positives":"14","total":"014","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T20:12:06.869Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4350","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"159330b1355b69e7a1d989c7bb49646035f1628d","file":"/var/opt/amazing-file","alert_id":"2270388032.0595431","md5":"27b655b94681591d6230b7fce5d13be8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3808","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"375458cf109aee9a4e1c4a3ef95b121684311297","file":"/etc/sample/script","alert_id":"5687515502.6529489","md5":"0e59d6b890917ab2ecc229d0f285dece"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 57 engines detected this file","id":"2040","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e8d1ec6da64854c6a7d6a852f8fc05e31fc3659b","file":"/etc/data/file","alert_id":"8482199761.9205554","md5":"e69b5e3e348b7f6a947df8562feebe16"},"malicious":0,"positives":"57","total":"057","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T00:44:33.816Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 50 engines detected this file","id":"5183","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e614a3e7c3139f9c742fb80d778577a57b74362e","file":"/var/opt/amazing-file","alert_id":"0695085441.6427075","md5":"333e80ab399833fa69d91b9dc51ce33d"},"malicious":0,"positives":"50","total":"050","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T11:49:40.131Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 51 engines detected this file","id":"5807","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d21e28625ab18e636841a002402171e58cd1855c","file":"/tmp/virus/notavirus","alert_id":"5406010992.2206645","md5":"03dc60322f4e2998b92896e31ae8efdc"},"malicious":1,"positives":"51","total":"151","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T00:19:53.361Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /root/super-script - 49 engines detected this file","id":"4324","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b8fde2810ebe5bf923c3ddfdf250d716882e4277","file":"/root/super-script","alert_id":"7036592999.4324399","md5":"d9c81191e0bf55c011ed72de333b8f97"},"malicious":0,"positives":"49","total":"049","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T20:49:47.434Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 21 engines detected this file","id":"5247","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b70fced76bac98336aa8d6eaf81b2d04f8839a59","file":"/tmp/virus/notavirus","alert_id":"0529099290.4606365","md5":"f40eb2208c0527df8a71d5e7cb7eca4f"},"malicious":0,"positives":"21","total":"021","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-03T20:52:47.334Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 59 engines detected this file","id":"3460","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"55fdf0f921d2be892e4428025a7bfddeb4203044","file":"/tmp/virus/notavirus","alert_id":"1916311141.7432723","md5":"1c438cd5a99c9bd54d62f13afa08bccb"},"malicious":1,"positives":"59","total":"159","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-08T05:37:15.056Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 18 engines detected this file","id":"964","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"327b70598ba3c17a2518587fe8bfa5e29382b027","file":"/tmp/virus/notavirus","alert_id":"4246407363.9347642","md5":"247ff9e3f4148c9ac773327086020851"},"malicious":1,"positives":"18","total":"118","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T19:06:47.156Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"814","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8c8a11b813856352effd55532fb5a5d0ad489905","file":"/etc/sample/script","alert_id":"8032330913.5395164","md5":"0234decde31a2d4a07e680425ebdef42"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 27 engines detected this file","id":"3410","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0ce4acb3557bab4b7a1b9b00061868af15971284","file":"/root/super-script","alert_id":"6906669598.5022587","md5":"49cb03e4b5954bb8d6ffd82dd84c4896"},"malicious":1,"positives":"27","total":"127","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-04T05:59:23.494Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 49 engines detected this file","id":"1903","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"54afeea9b70c6dfe51481e599d0e3accc3e73e7c","file":"/root/super-script","alert_id":"3227324629.4421673","md5":"3702346730f914e461fc9fbd0747ba31"},"malicious":1,"positives":"49","total":"149","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T13:19:14.016Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5748","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b5fe66207510298921fd9a51a946b1f3eee3a042","file":"/etc/sample/script","alert_id":"3509650598.8111923","md5":"f6e740f6179d166d70b637d7968d4256"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 18 engines detected this file","id":"4265","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"79247c836ad7a0a1e9334240750462598694bd45","file":"/root/super-script","alert_id":"4083076173.7996441","md5":"3abf7307c4552edd1f260a3d111c6bb8"},"malicious":1,"positives":"18","total":"118","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T07:38:27.315Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /usr/share/sample/program - 47 engines detected this file","id":"2392","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e77e9bd73e93399ccefa95f5afd84834fae671ad","file":"/usr/share/sample/program","alert_id":"2349100244.3669222","md5":"246842b646a90c3c6999eeb81a6708b0"},"malicious":1,"positives":"47","total":"147","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-01T19:32:30.863Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/sample/script - 2 engines detected this file","id":"5558","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"82a079b281c13b219e178939af33958eaf656b60","file":"/etc/sample/script","alert_id":"6830311462.1501466","md5":"791cb9a1f15cc4f51b1b079bf5c295b9"},"malicious":0,"positives":"2","total":"02","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-08T05:32:48.360Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 16 engines detected this file","id":"733","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9abdae21d37d84196a3173af1578374f083db0fa","file":"/var/opt/amazing-file","alert_id":"6312284550.9779698","md5":"382e416e244e02ec1375379cdde24554"},"malicious":1,"positives":"16","total":"116","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T17:50:35.222Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2138","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ffbe469c33510840b0069509ae8d88297b2a916d","file":"/root/super-script","alert_id":"0213404585.1002318","md5":"9f8638ba1e22638ed8e6ac700dd46309"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3649","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8716eb160288b15b840fd302149556408e803881","file":"/tmp/virus/notavirus","alert_id":"6635684996.0742306","md5":"ac827a4931c6e8dc4caf7f0bb6ccd19c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 9 engines detected this file","id":"960","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"43e4dbfb1a7c087a52168bfa08081164146a711b","file":"/tmp/virus/notavirus","alert_id":"0876151778.6896116","md5":"9a4f7ead916b5b792860ab2d571d1635"},"malicious":1,"positives":"9","total":"19","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T19:27:28.591Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 58 engines detected this file","id":"2440","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"25234f2f6d38a581cfaf7073acf822e262ec538b","file":"/root/super-script","alert_id":"2658565780.5158221","md5":"921576f2429cc80c3ec6f742318a2a1c"},"malicious":0,"positives":"58","total":"058","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-01T19:12:28.717Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 9 engines detected this file","id":"3390","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8a01e7a47873f4cf4630896485ddaed388c751f9","file":"/tmp/virus/notavirus","alert_id":"1065642525.7576836","md5":"5fe9becac7e372a2cd6b6fac001f35c9"},"malicious":1,"positives":"9","total":"19","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T16:54:12.905Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 7 engines detected this file","id":"4098","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0e2c0e5d71157e279001976dddc8b31c5d486df0","file":"/etc/data/file","alert_id":"0553385208.0513330","md5":"9e4cba1593f7a40268df80620e0d0af4"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T13:40:07.395Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /var/opt/amazing-file - 42 engines detected this file","id":"1008","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e29501c1df57c1d79ad908336dfb62aaac03e605","file":"/var/opt/amazing-file","alert_id":"4559768201.0909740","md5":"6982d532c8525150dfc92d9fbd8186f1"},"malicious":1,"positives":"42","total":"142","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T18:23:54.584Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 7 engines detected this file","id":"5960","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4183da7a9bc85ead1f164cfbb5e962e86402680f","file":"/etc/data/file","alert_id":"4694366710.3546274","md5":"4858eb81ba00b9c014b1009686c29e1e"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T05:21:31.446Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5231","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2b7b176da6f19c8aff6f3f110894212581c3f8bf","file":"/etc/sample/script","alert_id":"4516653157.6896957","md5":"f73bd63bfc3222ca214d906151d56470"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4576","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1fce9db4189d6153d9cbf4908a957e970a4f8a99","file":"/root/super-script","alert_id":"2126708974.9599294","md5":"a0282bfa166bd1c4bfd9b8dfe0fee22b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 16 engines detected this file","id":"2578","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0779d92f47ecc47410d2df515c6760fa675048b3","file":"/tmp/virus/notavirus","alert_id":"8085123602.3729218","md5":"a033c6bfa0cd88ea37868784dd511011"},"malicious":1,"positives":"16","total":"116","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T02:40:32.026Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /usr/share/sample/program - 15 engines detected this file","id":"1946","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6e92e0e4e9b0c26371f3e16c066a27a4080705e8","file":"/usr/share/sample/program","alert_id":"2614672396.6609827","md5":"e5fb6166a1172725ea37264bb3f5489f"},"malicious":0,"positives":"15","total":"015","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T09:27:26.490Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4689","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8bf63b0b566460e85f9bc9341e2d5792bed9b719","file":"/etc/data/file","alert_id":"4141635991.0382149","md5":"63016ceb9af6fb420dce8a6d0c38a8a3"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5983","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1304e9e44cfe490ee32d30e25f8a41f06e0e46c0","file":"/root/super-script","alert_id":"4880752426.7730399","md5":"8f7d7b85d93c7c501161ad82f0d17439"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 47 engines detected this file","id":"1466","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2c1aec233a365c4a10e9eaeff7dfdf7f074de5f5","file":"/etc/data/file","alert_id":"1480270032.4399245","md5":"1ff583666c86e8844e4b82e7be4766eb"},"malicious":0,"positives":"47","total":"047","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T14:35:55.177Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 21 engines detected this file","id":"1515","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3c88b2639ef5b983c8da73ebda27cc4613c0b4c3","file":"/root/super-script","alert_id":"3424295013.1334329","md5":"07fa5d0355d3ddbd03df25f25100ad75"},"malicious":0,"positives":"21","total":"021","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T04:33:55.983Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4504","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7040f622a00cf13c6ac834e09751289485dfbe05","file":"/etc/data/file","alert_id":"4237926723.3214325","md5":"29ab0e8f0d1efd4b3936d766950310f3"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /usr/share/sample/program - 48 engines detected this file","id":"807","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9f8f27e9630dfb856d7cfa14c92d28df5d7794f9","file":"/usr/share/sample/program","alert_id":"9436729377.6788325","md5":"88b75969745363d400313034ec1970f1"},"malicious":1,"positives":"48","total":"148","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T02:51:17.670Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 16 engines detected this file","id":"3169","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b2de1036da418a2a8bbde88be35915af26598ce5","file":"/tmp/virus/notavirus","alert_id":"2398237385.6918726","md5":"dd27e7057243a20503121c73f099dc2f"},"malicious":1,"positives":"16","total":"116","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T17:55:59.326Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 61 engines detected this file","id":"5584","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2933cf8b666ef501a18daa51cd8db77e4b54f119","file":"/etc/data/file","alert_id":"3418575650.1666873","md5":"7ee4ad5e9f7583bedf1ccdc2df0af280"},"malicious":0,"positives":"61","total":"061","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T10:46:53.445Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 52 engines detected this file","id":"3496","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e289146c469d544bbd0881b16c3357845e209687","file":"/etc/data/file","alert_id":"9493631434.0625620","md5":"b11857b0f379546404242d81a555d2eb"},"malicious":1,"positives":"52","total":"152","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T13:18:04.131Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/data/file - 61 engines detected this file","id":"2400","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6dac814ea1125723bcc3a1e22e29b32f6479a256","file":"/etc/data/file","alert_id":"3895324518.8564213","md5":"5279f63988304cd0ca72caae11298c47"},"malicious":0,"positives":"61","total":"061","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T03:28:25.986Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 12 engines detected this file","id":"885","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"134000a6d379a7458126aca4a91a63f17b609327","file":"/etc/sample/script","alert_id":"0396117435.5269464","md5":"025fa79ab526a4d6e2f4c67eb97b0f3d"},"malicious":0,"positives":"12","total":"012","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T21:47:10.656Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 50 engines detected this file","id":"936","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c7101378e244df49384ba46dfb64711ed41c230f","file":"/usr/share/sample/program","alert_id":"3695751303.0611204","md5":"17b9ce2990e54195f8610fa935d494da"},"malicious":1,"positives":"50","total":"150","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-08T03:08:30.655Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 5 engines detected this file","id":"1054","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a19fc403c9c4b82bfd7b72f71c6cde00b206bbf3","file":"/root/super-script","alert_id":"7805614169.0644249","md5":"558c06576e6a64db0b9fb6d53a06103c"},"malicious":1,"positives":"5","total":"15","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T15:46:21.458Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3128","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"15c8877ede9dbb88f05d5299eaa898dda2a3c624","file":"/root/super-script","alert_id":"4681536310.9874836","md5":"005425255717799d136d6ffe185532e3"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/data/file - 19 engines detected this file","id":"5436","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9cf15b06071ef0cd8db8c09e4b6f30061c418306","file":"/etc/data/file","alert_id":"6348816419.7852216","md5":"3d4c1480abc83fe7bcfe48a7bc019ff8"},"malicious":0,"positives":"19","total":"019","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T23:16:16.994Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /var/opt/amazing-file - 31 engines detected this file","id":"5169","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1228cdcfc978751842449504ae3628133ed4b0cd","file":"/var/opt/amazing-file","alert_id":"9896684621.5406387","md5":"cec1dadb971f26e5a9b2c7bd8170e7f7"},"malicious":0,"positives":"31","total":"031","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T22:52:48.770Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /var/opt/amazing-file - 39 engines detected this file","id":"3747","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"17995ec18949b6ff438e55856238a9df69cf9655","file":"/var/opt/amazing-file","alert_id":"0012026439.2076955","md5":"3a0ad6460755923fbbea0c77e077dafb"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T21:58:42.944Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/sample/script - 17 engines detected this file","id":"2610","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6b28b8788be6fdba14b0316c092ebcb1dadefd4e","file":"/etc/sample/script","alert_id":"1188383766.0695690","md5":"ab4d1d120bb0e0f68b10495cac85d173"},"malicious":0,"positives":"17","total":"017","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T11:03:49.295Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2167","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"074626d9ae0b9f6262ae7dfb63a778e42fbbbe54","file":"/etc/sample/script","alert_id":"4124522603.2665216","md5":"338b0ce0cac3bad36587075d58bd24f1"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 59 engines detected this file","id":"1000","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ab99ae639f07f59b86464227e05b61e58b872c2c","file":"/tmp/virus/notavirus","alert_id":"3060727629.4228405","md5":"84fed9c6a96d28234e78c6868f59b726"},"malicious":0,"positives":"59","total":"059","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T23:18:40.703Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 64 engines detected this file","id":"5981","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"233987f80292fbae975a3f2063ca19a198d11a32","file":"/root/super-script","alert_id":"3291930657.7693485","md5":"ca412e5368164c8d6a3d9045724d8bc7"},"malicious":0,"positives":"64","total":"064","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T12:16:51.868Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 32 engines detected this file","id":"5024","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"406ca2dcf86a78f30c3abb4673a9d048958cd4cf","file":"/usr/share/sample/program","alert_id":"7791763473.5135816","md5":"5ca77bd9a5c8e69e55764b2758e0181f"},"malicious":1,"positives":"32","total":"132","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T18:19:15.660Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 38 engines detected this file","id":"1712","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"abb41a1e52b8997833e146fee5f64ba51be87317","file":"/tmp/virus/notavirus","alert_id":"4441051926.4515325","md5":"dffa4bb6994c851675d66f717edc5ce3"},"malicious":0,"positives":"38","total":"038","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T11:08:19.948Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"705","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b2a2f8a6df088f916e1b99d856bca65dbc31f564","file":"/var/opt/amazing-file","alert_id":"6367435219.0526191","md5":"b9dc80ed645fb45a4604b9ae006deabd"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /usr/share/sample/program - 14 engines detected this file","id":"935","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bdc3f6763830d439450fdc716d306732c015dbec","file":"/usr/share/sample/program","alert_id":"0576806091.2314261","md5":"be6af827a43789fafaa9ac90ccf03611"},"malicious":0,"positives":"14","total":"014","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-08T08:55:16.138Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 48 engines detected this file","id":"2522","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2c9129d2c037dbf2eb9acc99daa3ecd2a8f0d70f","file":"/tmp/virus/notavirus","alert_id":"8395140719.4669533","md5":"acd9a85c9d96985b7cefde01c0c9ace2"},"malicious":0,"positives":"48","total":"048","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T22:03:40.556Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5148","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"777513808d262d8564adeff4b76f7c78a285982e","file":"/etc/data/file","alert_id":"2624116669.5340523","md5":"370a89f71e176f4958edf32c30b2fcd8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 65 engines detected this file","id":"4512","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"895486a5910b278632c41f2805715b1b4f3cbdbf","file":"/etc/data/file","alert_id":"0523982174.6127657","md5":"485e29a7ce14b2210c5043618f7f4e5a"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T14:27:15.043Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 56 engines detected this file","id":"273","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e561b3c06a6a09567d2f71d751bc25f7a66bd28a","file":"/etc/data/file","alert_id":"0040486935.6005221","md5":"8aedb3620dd4bc0ac4dd722e3777b735"},"malicious":1,"positives":"56","total":"156","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T19:41:49.643Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 53 engines detected this file","id":"1443","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"25604512eb485a4b6f5c3cdaab1123ce5a6b53e5","file":"/tmp/virus/notavirus","alert_id":"6469036536.0281018","md5":"be24f3e96349ea23a5035216d034cfae"},"malicious":0,"positives":"53","total":"053","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T17:20:04.174Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 45 engines detected this file","id":"5426","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8bd86b37ae0a50fbe567bb0c598ee0852e952391","file":"/etc/data/file","alert_id":"6326935391.4109860","md5":"46f353bd07b9a2992dae19d412e12fc8"},"malicious":1,"positives":"45","total":"145","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T10:02:08.227Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3813","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1702dff704b4c2fe16484568c2fc8143ad4482bd","file":"/usr/share/sample/program","alert_id":"7722847436.0073783","md5":"778ee3022119794f7bce9ad253d48d5d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5361","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"fd58c7c522889464dd93854111bfa9d844f67ecc","file":"/etc/data/file","alert_id":"0415311638.4787012","md5":"3e8ee695257df917642bb62565d32bef"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 33 engines detected this file","id":"4707","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"250c4c25a1b0c94c94d1174e0978bc1113094972","file":"/etc/data/file","alert_id":"1893102350.9382760","md5":"9b2bb61ad46be6a76a49095dcfaede0c"},"malicious":1,"positives":"33","total":"133","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-05T01:56:49.779Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/sample/script - 61 engines detected this file","id":"3626","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"27302bae0d8fa63746dcfa36c29a804f7b61d24b","file":"/etc/sample/script","alert_id":"4099521736.9267650","md5":"d527fc5d3f00732935318059d30a32b8"},"malicious":1,"positives":"61","total":"161","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T05:36:31.909Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 41 engines detected this file","id":"300","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7d26e3f545adb473eec208b97fb64c261fc8ca77","file":"/etc/sample/script","alert_id":"3748810925.5902116","md5":"9712c42aef4dc8c5a9ba1f4ebe81abed"},"malicious":0,"positives":"41","total":"041","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T13:40:33.325Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 29 engines detected this file","id":"1323","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b54b340041b04c22650e803a679f49d5b840ad31","file":"/etc/data/file","alert_id":"3948705552.7879509","md5":"ec6568357e41561540a2771307ae10d6"},"malicious":1,"positives":"29","total":"129","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-05T18:09:25.425Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2658","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"5ef1f935e3909f0778d0feee22751c5ed62e243a","file":"/etc/sample/script","alert_id":"6923041107.1866788","md5":"f080aba45edef8fa951dbd45b30003f8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4446","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0dfa3ee5102bdd70c977cb9b6c4085770068b46a","file":"/etc/data/file","alert_id":"1283270513.4261034","md5":"ed3f7016606aff48ed1ae9615ac873c8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 23 engines detected this file","id":"386","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"933ce0b062207c5f4e7bef7ab22d9037f77475f4","file":"/etc/sample/script","alert_id":"1739758179.2686048","md5":"4db004e56aa03f3fe992a2ff157f428e"},"malicious":1,"positives":"23","total":"123","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T23:20:18.845Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /usr/share/sample/program - 26 engines detected this file","id":"5940","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4cabc339718907b6b5cd419669b205ee8588d4e3","file":"/usr/share/sample/program","alert_id":"9869791049.5363715","md5":"4f9a691f399767c78c9cbcf2753dcaef"},"malicious":1,"positives":"26","total":"126","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T20:28:25.960Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5847","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"974c4b4ba1a04f9223be9bb7d2e3047db67d2124","file":"/etc/sample/script","alert_id":"9113678396.1025253","md5":"95c7bea6b6bfe96679bc519ca698263d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 33 engines detected this file","id":"2149","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"88b984981c58e6e0b2a2ed7dc57108b84a33fdb4","file":"/root/super-script","alert_id":"7150360223.6231911","md5":"a386db6c04f31d6804f338ee4edfb2fd"},"malicious":1,"positives":"33","total":"133","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T12:15:25.230Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4037","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"518f4cdca0c5664c29b9b557d55fdbdb73a5a075","file":"/etc/data/file","alert_id":"6780812893.6825355","md5":"74d7d5153a01333b63fceb80bab85b20"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 5 engines detected this file","id":"391","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1aa795c6513ca876feec379156b1101986ef9750","file":"/usr/share/sample/program","alert_id":"7152101504.5377860","md5":"b39789a4ab7000174729445319bc1061"},"malicious":1,"positives":"5","total":"15","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-08T11:08:55.014Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 11 engines detected this file","id":"2626","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5843abe6c9f2daf1e674dc2993c083143b7ccaca","file":"/etc/data/file","alert_id":"8543713398.3515469","md5":"aceb5bf9d17a5666680b9e7a79fd114f"},"malicious":0,"positives":"11","total":"011","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T10:55:18.024Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 56 engines detected this file","id":"510","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cf58e71d78bce1cc157a657d7964b2c9902502de","file":"/etc/data/file","alert_id":"7525405925.9124432","md5":"00432fe25557244b6a120e3ac5e2703e"},"malicious":1,"positives":"56","total":"156","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T23:33:40.716Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 9 engines detected this file","id":"3533","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"16a9ef02358f5a409a1bf5fb5d487d464f3ffbd8","file":"/etc/data/file","alert_id":"6821931320.3426611","md5":"68b011cd250b22faef535c4d22be5526"},"malicious":0,"positives":"9","total":"09","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T05:51:37.979Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /root/super-script - 39 engines detected this file","id":"2616","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2566ccbbc43926c00aad5e8162abb294a487d99c","file":"/root/super-script","alert_id":"5563073996.3047311","md5":"e36f7706797b1c1e36ed0e682c5e1053"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T16:52:46.316Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 7 engines detected this file","id":"5620","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"530ec136d266b587f88b713a883e049ff3cbac17","file":"/tmp/virus/notavirus","alert_id":"1312463993.7946154","md5":"2988f87cf2d4ac2426b9156871ee6d25"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T20:38:29.604Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 36 engines detected this file","id":"945","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"659a18610d469e207dbc663591374dc7f1523942","file":"/etc/data/file","alert_id":"7116191045.0374180","md5":"1da6197b57d6bab552e2163dae7dfe20"},"malicious":1,"positives":"36","total":"136","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T05:49:23.822Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5641","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"407a9229b8f12e282937e63dafa172049ba5ee53","file":"/tmp/virus/notavirus","alert_id":"9119633676.6292309","md5":"e5ec464a62dfa27e09b982f728b1d3a8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 32 engines detected this file","id":"97","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"af41cc00e654f8aee390f6a6c225a984a6488d46","file":"/tmp/virus/notavirus","alert_id":"6016932683.7660848","md5":"6ee0d56bfa7572a6d77b239d0a40f8e8"},"malicious":0,"positives":"32","total":"032","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T04:26:10.925Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /var/opt/amazing-file - 33 engines detected this file","id":"5156","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"94ec65882c918420f69f660d84922ec4bc8bce53","file":"/var/opt/amazing-file","alert_id":"0141509898.5631175","md5":"d7366b70bcc997340c172acac9e2603a"},"malicious":1,"positives":"33","total":"133","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-03T00:20:17.051Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 15 engines detected this file","id":"4958","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3a779cb30359867df2d12a45d42f426144ab3da6","file":"/usr/share/sample/program","alert_id":"3151106474.8279466","md5":"cd285a25aacb75efb67c21de4388cfe1"},"malicious":1,"positives":"15","total":"115","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T20:40:57.855Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /var/opt/amazing-file - 20 engines detected this file","id":"2883","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"de209c9de588ddc1edca5f69d12b3312a3182616","file":"/var/opt/amazing-file","alert_id":"4882543994.7754988","md5":"101cdacada0a0d1cca126cb122d67c9b"},"malicious":0,"positives":"20","total":"020","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T03:51:29.208Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/data/file - 26 engines detected this file","id":"2870","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dd1d2f03462fac8bb421ae694434b2de70ad9e7c","file":"/etc/data/file","alert_id":"3271478054.3870760","md5":"4abed7ac0c464c37a1e92547a4235100"},"malicious":1,"positives":"26","total":"126","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T08:24:24.736Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 20 engines detected this file","id":"304","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5912cfd389678b2edaa6b1cf838f56b837d528e5","file":"/etc/sample/script","alert_id":"0215403193.7312484","md5":"86564b1c2b2ea070a925f39dae9d3498"},"malicious":1,"positives":"20","total":"120","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T05:48:47.170Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 54 engines detected this file","id":"515","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8ad883903cc87f8e88e69d7d0a5e2ddd0df61c27","file":"/tmp/virus/notavirus","alert_id":"8581500614.8947321","md5":"418079c54e7a0bc7a7e977d2ac8ed353"},"malicious":1,"positives":"54","total":"154","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T01:43:17.490Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 26 engines detected this file","id":"4574","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dc611f8072631fba755045885679594fff2e1c14","file":"/etc/sample/script","alert_id":"6564008722.7376161","md5":"c0a65d9ad48e444198fc2a9ea781cb09"},"malicious":1,"positives":"26","total":"126","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-01T14:08:55.688Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2549","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"ab5aa09c264ad7cde46599851c69fb9b2aaaf8a4","file":"/etc/sample/script","alert_id":"4060964987.3965602","md5":"72a4eee098b8a9dc9d549bc7713f45ce"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 58 engines detected this file","id":"1420","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5e51e1ea39b9b7683028dbbc86e0e2f772d8e6bf","file":"/tmp/virus/notavirus","alert_id":"6467020013.7948479","md5":"bf2b037ec049535a32ebe6eb84c6ee78"},"malicious":0,"positives":"58","total":"058","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-01T12:50:41.317Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 7 engines detected this file","id":"5697","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"04c84ef120c1e96dda64a620ee301ca7c3be5188","file":"/etc/data/file","alert_id":"3772421414.2630454","md5":"79525dd70a88f1e7b9229da4345b2d3a"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-05T04:41:12.593Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 33 engines detected this file","id":"2151","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a673ae0229f9c169108befd143ed244d6a822f02","file":"/etc/data/file","alert_id":"8644662648.7364051","md5":"2215ee4adcb2d65e46dae7eb5af09a3a"},"malicious":1,"positives":"33","total":"133","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T00:47:09.525Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /usr/share/sample/program - 42 engines detected this file","id":"5223","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e30286d1b3c9cb77d0ae341b9dc1720871aa2349","file":"/usr/share/sample/program","alert_id":"7671706998.3397364","md5":"d4831963aa6c9363c5218b86fad2bf8a"},"malicious":1,"positives":"42","total":"142","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-02T15:36:06.395Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5239","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"bafa38a872cdfc5856002e65b0088964d44c8815","file":"/var/opt/amazing-file","alert_id":"7574600738.4389849","md5":"75ad555a68e478eeb3c8a48a9606aa6c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /var/opt/amazing-file - 53 engines detected this file","id":"3958","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7e977615a77bc32b1c44cafee31765e47892a82c","file":"/var/opt/amazing-file","alert_id":"2464663204.6769236","md5":"3fbb807fbc921f531167b13d39dbcb68"},"malicious":0,"positives":"53","total":"053","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T22:59:27.920Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /usr/share/sample/program - 12 engines detected this file","id":"3965","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d5c95641701b571e45d2a30cf94c0cdf5ebd92ff","file":"/usr/share/sample/program","alert_id":"1135947608.6165440","md5":"da73c6e16797df5a9c9c33e802be7cb5"},"malicious":1,"positives":"12","total":"112","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T10:34:10.222Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /var/opt/amazing-file - 49 engines detected this file","id":"46","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2ba8a9a34ae60758fe2cfb8bb2d2cc0b9674b785","file":"/var/opt/amazing-file","alert_id":"7860518807.5228071","md5":"09b4a6c8aaa83340ffb5ddbae7201524"},"malicious":0,"positives":"49","total":"049","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-03T14:41:38.163Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 43 engines detected this file","id":"3587","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8273b20f59d22dbfa7efd8fb796a37d3691a2b54","file":"/root/super-script","alert_id":"8658209223.0542718","md5":"06202c55f9149821ab2fd835ac45daef"},"malicious":0,"positives":"43","total":"043","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T04:14:03.512Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 11 engines detected this file","id":"4953","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8603730664bb94c919dba66f0c5f2d4bd61d2fca","file":"/etc/data/file","alert_id":"6344026502.1881243","md5":"58cf6d32e051d932a97630870d249a7e"},"malicious":0,"positives":"11","total":"011","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-02T18:28:42.054Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 38 engines detected this file","id":"106","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5d0dfd2979749f00b63917751574b2da3a553f3a","file":"/tmp/virus/notavirus","alert_id":"5246050410.9475555","md5":"789495874070232a99a3d52a8ad8ee88"},"malicious":0,"positives":"38","total":"038","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T11:54:15.012Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/data/file - 34 engines detected this file","id":"1737","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dfed6b9ca05f3b7cb5fc84e0643da95b87105061","file":"/etc/data/file","alert_id":"8456101202.4127001","md5":"d472e2bf1bd7d363b83058c81516be82"},"malicious":1,"positives":"34","total":"134","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T04:41:10.303Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1613","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a147943371db84cfbb531e78a25fee3a057811f0","file":"/tmp/virus/notavirus","alert_id":"7099274136.0867895","md5":"d5a15f5864b4b396c9cff343bd81f62e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 53 engines detected this file","id":"67","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9ea0f6da99b85b0248a470e12363fb7f0cada127","file":"/usr/share/sample/program","alert_id":"3238661856.3381814","md5":"69025b02ae1f0da9984ff530912bc9e5"},"malicious":0,"positives":"53","total":"053","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-03T13:32:51.534Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 38 engines detected this file","id":"2945","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d04a19b14dd224dedbbd8c10fd488775703f0724","file":"/root/super-script","alert_id":"9815741114.1769698","md5":"4b321fc775f01d0f2ce5e418de4f9bb5"},"malicious":1,"positives":"38","total":"138","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T08:28:44.270Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /usr/share/sample/program - 19 engines detected this file","id":"174","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1a320ebb329594c6eec79c97d01e239be4cf77e9","file":"/usr/share/sample/program","alert_id":"3883438355.6836813","md5":"16c5379086cd16f4367c27fd378d6c41"},"malicious":1,"positives":"19","total":"119","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T21:51:27.081Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 13 engines detected this file","id":"3207","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dda33f5a785be83c0d2e22417d06b07e18055c2a","file":"/tmp/virus/notavirus","alert_id":"0821442508.1086144","md5":"d52b1aca4bd0a7dbad4576609a520a56"},"malicious":0,"positives":"13","total":"013","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T00:32:41.314Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3898","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0d71eacefccb23f64e616ae1003506e86457b2f8","file":"/root/super-script","alert_id":"2047681187.6788560","md5":"172d44e6887b04d7961cf1a7f19c5b28"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 7 engines detected this file","id":"4581","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3b9ca54bbd572df1b04ea806716fc5c47cd39d09","file":"/etc/sample/script","alert_id":"9401762807.8536358","md5":"82509b6ff87951d95d50d96ad256558a"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T20:19:16.589Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 6 engines detected this file","id":"2699","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7bef4c537e6e49f72ec755787a63f48b36b7b270","file":"/usr/share/sample/program","alert_id":"9311875640.0481641","md5":"0fae79d2c49360ec323b182d7d48d215"},"malicious":1,"positives":"6","total":"16","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-01T18:24:28.055Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 45 engines detected this file","id":"5496","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"50e7403a1aa3f191909dd701423bdfdbd8a902f4","file":"/tmp/virus/notavirus","alert_id":"8808474704.8831861","md5":"254ac7506a7292ec7be651e8eee4fca7"},"malicious":1,"positives":"45","total":"145","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-07T23:11:06.971Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 55 engines detected this file","id":"308","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ab6f45f56f5e5ed98f6698375e8c08f009b310df","file":"/root/super-script","alert_id":"6095479707.5136334","md5":"860418a68d969c3662360e90cc4efaaf"},"malicious":0,"positives":"55","total":"055","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-02T02:53:09.182Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1924","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"39b738f59f5f686d6730640438560da9a35c9cbf","file":"/etc/data/file","alert_id":"8303746474.1638288","md5":"2c46661106eeecca94845174c6bfa190"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2660","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1a750b4eabd77381e049959e55bec977cd8a3549","file":"/var/opt/amazing-file","alert_id":"1365510249.9979732","md5":"d7ecc7d4205541fdb3a48c54ba68c4ed"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1896","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7ff62f3f6091924ec1b31a8d38bbe3922f8dbbc9","file":"/etc/sample/script","alert_id":"4728156209.0474692","md5":"e17857838b2407a9f071d5189529714b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 26 engines detected this file","id":"3267","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7ce4f8234e503996465c5bb49f41781eb04e4a1f","file":"/etc/data/file","alert_id":"6028263226.0683250","md5":"ead6abbddba121bad4d042d203700d74"},"malicious":1,"positives":"26","total":"126","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T11:27:07.282Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/sample/script - 28 engines detected this file","id":"442","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"643f7ad3bbc653da7b2dfdb7eaeeed52e4deb5de","file":"/etc/sample/script","alert_id":"4557598987.4003795","md5":"c8ff6865fcba95263f5e15e4fb5f4de0"},"malicious":1,"positives":"28","total":"128","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T10:29:41.569Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/data/file - 41 engines detected this file","id":"4991","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e396903993680ecbdbc62136f9aa83009c262448","file":"/etc/data/file","alert_id":"1669182223.7030968","md5":"56d8abb9fcaa7baf3db8ad9b11cd3706"},"malicious":0,"positives":"41","total":"041","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T02:06:37.346Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5752","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"5ebad2cd87588b64133ac9d6c730dc31b4b5a9c8","file":"/usr/share/sample/program","alert_id":"5287468182.8888823","md5":"6d36f4f35fc541ce1aa701575cf2f33a"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 46 engines detected this file","id":"5154","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cf75a4e7168d70a5dd4c216d98862a993d886549","file":"/etc/sample/script","alert_id":"6605365021.5906336","md5":"60bef1a7cb6882435365612054877dbc"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T08:58:01.632Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/sample/script - 13 engines detected this file","id":"3361","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8167468aae7739d3bc3c41d807015c7678250da6","file":"/etc/sample/script","alert_id":"3698327057.5043448","md5":"3a1c5041722c650e67bc178c41a2d48e"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T09:50:35.037Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4943","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3dc0c4860950943da459d764f68c7befd936260f","file":"/tmp/virus/notavirus","alert_id":"0589668727.3596162","md5":"ef0469f6e695fd882633985a37a216f7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 14 engines detected this file","id":"478","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ab5c948d7b3e59ec0c26bbbcc325ce342b0084b6","file":"/root/super-script","alert_id":"6806894710.7210919","md5":"81e575a86335bb913c5f0dba73627348"},"malicious":0,"positives":"14","total":"014","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-08T04:59:48.109Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/sample/script - 63 engines detected this file","id":"2877","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4776a39108f7c4c569cb3369b7cb320cfc0ed33e","file":"/etc/sample/script","alert_id":"6621969559.1524023","md5":"997c518977a9dead3f277229725b2218"},"malicious":1,"positives":"63","total":"163","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T03:43:30.632Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 3 engines detected this file","id":"3734","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cc67e9c65f6bdf6038bd6da6c2a842eb864d297f","file":"/root/super-script","alert_id":"3576445143.5377266","md5":"a66b46873f41bd86fcc4981b1b20c8e3"},"malicious":1,"positives":"3","total":"13","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T15:56:34.031Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 26 engines detected this file","id":"2503","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"37bd44cf72aa57d707b137faa12d8665d042038a","file":"/tmp/virus/notavirus","alert_id":"7738166800.9798033","md5":"5ea23a3e73fce70cf4ddb10fb3f3a76e"},"malicious":1,"positives":"26","total":"126","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T18:10:42.240Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 45 engines detected this file","id":"4724","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2be36612f8ea5a42a443988bff8c46ec19e501ad","file":"/root/super-script","alert_id":"4712820755.5198848","md5":"d55fd5092b1fb338795967dec0c9a852"},"malicious":1,"positives":"45","total":"145","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-03T19:27:12.481Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 27 engines detected this file","id":"5990","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"67e9d70f7cfba64f56baec523d16bf016153b643","file":"/etc/data/file","alert_id":"8766844944.7634146","md5":"c028bc3a0680f34b6b7ac2c088824a73"},"malicious":0,"positives":"27","total":"027","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T14:16:47.382Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /var/opt/amazing-file - 44 engines detected this file","id":"5959","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ddb806e0a8aa6213889a4c3be3a911e323da34bf","file":"/var/opt/amazing-file","alert_id":"2812828714.2325125","md5":"15c5a3ded959824510a61d3f11455b2a"},"malicious":0,"positives":"44","total":"044","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T05:03:56.120Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/sample/script - 4 engines detected this file","id":"2364","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"113323ef41787b4bbd07d0e2812f173a57722a44","file":"/etc/sample/script","alert_id":"7172001603.8509622","md5":"850815382998132fb878b40dd3b8928f"},"malicious":0,"positives":"4","total":"04","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-05T10:49:16.750Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/data/file - 18 engines detected this file","id":"4850","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e43daf6120aeb82ff90903f583970a2229ac55e1","file":"/etc/data/file","alert_id":"7817039609.0107210","md5":"92ee8d56d2c78023ac763b39280a3061"},"malicious":0,"positives":"18","total":"018","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T11:53:19.218Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 64 engines detected this file","id":"547","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a3a2b73b9154d38311bd8b041e06362542e80586","file":"/etc/data/file","alert_id":"1504671264.0663032","md5":"7054e265deb4d8ee42a63331f7c2af50"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T09:04:51.794Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/sample/script - 47 engines detected this file","id":"1228","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"da9d07ba10715c7ed82397fbfcdc7f73b642ebe0","file":"/etc/sample/script","alert_id":"7940909449.1052215","md5":"ab8921b553f3e92285489d0027aa761d"},"malicious":1,"positives":"47","total":"147","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T23:41:00.611Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"455","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b898c3022c6dd17b758fca2e1198e240e88d29ec","file":"/tmp/virus/notavirus","alert_id":"2938050463.1957460","md5":"011b47094c045e2dfa97e1ec98521142"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 50 engines detected this file","id":"2591","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"057c2b08145c1a8797e17ecf0fa0d4fb204ca2e3","file":"/etc/data/file","alert_id":"9270207630.6224893","md5":"5eecd74242ef044cbd798a6be5c41780"},"malicious":1,"positives":"50","total":"150","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T08:17:56.574Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3136","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8a8ef808b47e0c3866ea75d7c67be1f60bc11d35","file":"/var/opt/amazing-file","alert_id":"7961767238.9530981","md5":"30ddd64a3311e6cdfa5991b0068fc733"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 15 engines detected this file","id":"1108","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f5af94e9f719aeec53fc81530a217def9d8381fc","file":"/etc/sample/script","alert_id":"8216657232.7425612","md5":"46815dfc7c92355cd387b31d253a3419"},"malicious":1,"positives":"15","total":"115","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T12:44:05.409Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3352","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"994973620303e106f930af1d5c8022633da80403","file":"/etc/sample/script","alert_id":"3968596320.6510578","md5":"8112cd0299dec7557e9cb5a2876cc3c4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 37 engines detected this file","id":"1269","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2337b43ca6d6b6de537811c7aa7aec7f8aaa092b","file":"/root/super-script","alert_id":"3681021448.4235087","md5":"808193e9da6d3a64815eb4c6b8023e1a"},"malicious":1,"positives":"37","total":"137","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T16:24:11.637Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 33 engines detected this file","id":"5002","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0314cb8c183d0c8ea84d8438d7548703ab990a7d","file":"/tmp/virus/notavirus","alert_id":"7059227540.3847720","md5":"8d6ab6adfcbb857ffdeb77c240c6e5be"},"malicious":1,"positives":"33","total":"133","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T23:20:47.581Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1663","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2c75fa830d80c2154f99eff378a8c68c7b5ff21c","file":"/usr/share/sample/program","alert_id":"1060469828.7162395","md5":"9dd80e5cd3ba72768319670ec99f7100"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4329","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3e04cdb9ec7190fe27e7e2cefc00e7d948bbb462","file":"/var/opt/amazing-file","alert_id":"6431649617.5157516","md5":"bd981db3f9bfe0d64a844f2220d61e96"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 48 engines detected this file","id":"5282","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3153ade28a74343b1489b7075be00863288cf3d7","file":"/etc/sample/script","alert_id":"0635990129.6813895","md5":"a74863c61b2640d0df665de23bd4ab17"},"malicious":0,"positives":"48","total":"048","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T07:29:31.665Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 13 engines detected this file","id":"4296","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7a1bedec4cdf47f9fbc197d5234bbbd582a84bd7","file":"/root/super-script","alert_id":"5916297714.2534880","md5":"9f49f35af9130a234ed5af15a44475fc"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-01T22:12:12.789Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2628","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2d1780f0c404dfbaa845fefcbf91f08fa4f370da","file":"/etc/data/file","alert_id":"7171724526.0505113","md5":"b21e155c0a149faa9020f7b2f5abf0dc"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 11 engines detected this file","id":"1628","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ec24a754f035a48e49ed348745cb002d024563f7","file":"/etc/sample/script","alert_id":"6472987741.6777788","md5":"25bb62302961fa8f50618f52c330280d"},"malicious":1,"positives":"11","total":"111","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T19:15:32.246Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /root/super-script - 35 engines detected this file","id":"3176","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"71ddd77f15e9ef14409c2d6154a1fd8882845996","file":"/root/super-script","alert_id":"3855559716.2857543","md5":"f6114fa941f1442ed98d60b9a779deb6"},"malicious":1,"positives":"35","total":"135","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T21:12:19.205Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 15 engines detected this file","id":"5941","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"facca2fc1cddd64cf20122bf709afd63895d20c1","file":"/etc/data/file","alert_id":"5936627918.4861397","md5":"5b4575c5935b8a13a5571528ab31f83b"},"malicious":0,"positives":"15","total":"015","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T12:13:40.589Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 60 engines detected this file","id":"5102","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8ddce1acb6017151179db2a59ad12b89adace0e3","file":"/root/super-script","alert_id":"0939338405.8675601","md5":"c7053336d013599408f3aadd981ff6b9"},"malicious":1,"positives":"60","total":"160","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T05:16:34.522Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 17 engines detected this file","id":"2969","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ead7c58a80a258022f4f81698405e5250c042c77","file":"/root/super-script","alert_id":"4486697107.8305173","md5":"3fb484786147d539b1e819824da270c3"},"malicious":1,"positives":"17","total":"117","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T08:35:55.237Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 31 engines detected this file","id":"3777","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a2e44002a0daacb4b05ae750ec3ee5d15d572e36","file":"/root/super-script","alert_id":"1417572130.6346260","md5":"286b437dfb9eb6ebf3414e5b4c54d22e"},"malicious":1,"positives":"31","total":"131","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-03T20:23:58.348Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/sample/script - 23 engines detected this file","id":"660","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ed5d0369d295d21669ceb890d37d13807973c030","file":"/etc/sample/script","alert_id":"3344250851.7209811","md5":"78d93f02175ef3a30275cd8caade242f"},"malicious":0,"positives":"23","total":"023","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-05T07:50:09.782Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"906","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2b17d3242301921954a3c9646f54954b900b28d2","file":"/etc/data/file","alert_id":"9653599789.4432315","md5":"20d02aa2525f53151a4f75d1b8b58ab8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"447","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"be4cba188f9010209f43faaa251da92849e3ede8","file":"/root/super-script","alert_id":"4255105669.2781654","md5":"ea2feb7b0f6009f77a7bf25fa8522a22"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 41 engines detected this file","id":"2362","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"48ac321e7c6c2d10a1281abc086ac83a4e45a9a6","file":"/etc/sample/script","alert_id":"3686768929.5058291","md5":"d2e58a7cc08344786fd02c716f8dfc21"},"malicious":1,"positives":"41","total":"141","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T11:39:19.373Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 59 engines detected this file","id":"5816","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1c0333910a7268c3d9af98ad9ca6f3a494cdc7ed","file":"/etc/sample/script","alert_id":"2469220079.4717637","md5":"53fce593ca6558ecd59a96ed88ecd280"},"malicious":0,"positives":"59","total":"059","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-08T03:50:31.938Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 1 engines detected this file","id":"2242","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b54cbc53d9d0b86785a395f29f90ee797474761e","file":"/usr/share/sample/program","alert_id":"0036394011.1201983","md5":"efb428816eec792154a6e59d3a38e36b"},"malicious":0,"positives":"1","total":"01","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-08T04:46:03.637Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 54 engines detected this file","id":"1705","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5e61270e15ef496275397065e5d3968f5b1b3e54","file":"/usr/share/sample/program","alert_id":"3519424088.4830216","md5":"677e9eddb0394d6333c5f0678455d198"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T20:14:58.870Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 65 engines detected this file","id":"1878","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e6688492d730adf3096490ac0a8e604a8b59a3bd","file":"/etc/sample/script","alert_id":"5737601190.4390505","md5":"64a52c81c49d6485734864135d0643e2"},"malicious":1,"positives":"65","total":"165","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T02:32:03.303Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4578","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3fe49464cc62b35b238b4112a58e709e3e705eec","file":"/tmp/virus/notavirus","alert_id":"7342175083.1919594","md5":"b4e97906bf2e81d05280c802daace933"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 11 engines detected this file","id":"1970","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cfe3b95dff75c0f1cdef92d4311db2494bcaf3da","file":"/usr/share/sample/program","alert_id":"0137232742.4465731","md5":"5c4ea50b6a85790a871721e5bcc8e09b"},"malicious":0,"positives":"11","total":"011","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T11:36:55.934Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /var/opt/amazing-file - 56 engines detected this file","id":"5860","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"088f337e5787dd7577b5a6c877937ec9116e4092","file":"/var/opt/amazing-file","alert_id":"9165454222.2475928","md5":"b10d0df1958718e01038ad0ba4fdb25e"},"malicious":1,"positives":"56","total":"156","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-05T20:29:18.315Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /var/opt/amazing-file - 11 engines detected this file","id":"1787","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"02a90334578d603d18f124a5752ca2da1ed6f3b2","file":"/var/opt/amazing-file","alert_id":"7384908887.9463184","md5":"ce3fbdf80f38d5eedda7080b9da368ef"},"malicious":1,"positives":"11","total":"111","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-01T15:56:19.514Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"527","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8b10216e3c984e849ebe0d52c282c8fa6edf6aa7","file":"/root/super-script","alert_id":"6702461673.7905331","md5":"9f58edda0d7b49f0ee8008f6ade6d2a3"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/sample/script - 35 engines detected this file","id":"124","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d751bb187d7d5e8678be9ba0bb9c73632b659832","file":"/etc/sample/script","alert_id":"4022048934.0043749","md5":"4de191f9340a0c638eefc185a60d930e"},"malicious":0,"positives":"35","total":"035","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T07:50:39.257Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 44 engines detected this file","id":"5890","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bea022dd40c6d1aceff9afdfc6a0defd88cce440","file":"/etc/sample/script","alert_id":"4205155150.6166891","md5":"66123585e894626437944f604dcdc6a5"},"malicious":0,"positives":"44","total":"044","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T21:23:30.340Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /var/opt/amazing-file - 18 engines detected this file","id":"749","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"18b5fcbf5353ddcf100a955a148689189bd7c4d5","file":"/var/opt/amazing-file","alert_id":"0611842758.4797055","md5":"cd7845a77551a0b51f313485eef53334"},"malicious":1,"positives":"18","total":"118","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T20:03:06.229Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 64 engines detected this file","id":"3509","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5b35ba956df5b2323787b76fd55a6a23994efdee","file":"/root/super-script","alert_id":"3284134715.1970238","md5":"bf78d4380b015fd21df70f99b10b6f03"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-06T03:58:39.822Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 7 engines detected this file","id":"4140","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c60f184ccf573e22bef2fec02c65af46c5e0753f","file":"/etc/sample/script","alert_id":"3742120936.7796553","md5":"8632007b37699206cfafb872753e12a5"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T20:55:27.667Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4320","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3ada25bf0a6f64ad447387e7437e707a1228f666","file":"/var/opt/amazing-file","alert_id":"6630309733.6585057","md5":"dd5b95a3d263be48472c441966046877"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 50 engines detected this file","id":"5496","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"94dfcaa1dbfba0d3e752c3aa93c82a3db38b9c11","file":"/var/opt/amazing-file","alert_id":"0265689506.2153156","md5":"7c3a6a3a9815af85454975ae298ce3d0"},"malicious":0,"positives":"50","total":"050","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-03T11:21:37.407Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/data/file - 15 engines detected this file","id":"3836","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9f680b1e03fd4cbb44e1d6d1d81d258c5ba2b849","file":"/etc/data/file","alert_id":"3015878115.3991779","md5":"685673b086c039b4e73ade241ef7ed8c"},"malicious":1,"positives":"15","total":"115","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T03:32:53.582Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 27 engines detected this file","id":"2234","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b6ea7847ad839e5cbff6e2f2a4eed61cdf838948","file":"/etc/sample/script","alert_id":"0559352384.3698655","md5":"817222ec76137fb5294c1b22820ecb2a"},"malicious":0,"positives":"27","total":"027","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T23:37:10.851Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 2 engines detected this file","id":"2883","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7d602467b1316f0031fb187a07f41d5805406317","file":"/root/super-script","alert_id":"1889423758.2978339","md5":"686853901d691e27e15bd979f5a4b2c8"},"malicious":0,"positives":"2","total":"02","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-04T20:12:47.389Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/data/file - 25 engines detected this file","id":"1453","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6c470995111000627c49b0d0f4822a1fe6ab4d48","file":"/etc/data/file","alert_id":"4405991896.5795965","md5":"f99b84d93a5ccbd14871066c7a62daaf"},"malicious":1,"positives":"25","total":"125","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-02T01:41:03.011Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 25 engines detected this file","id":"907","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"747f44f32b6ecdd73302669fb4e27d9b14efc3a4","file":"/tmp/virus/notavirus","alert_id":"1461779249.1317076","md5":"5a3ef055566862a2e2ac152d4a8773c6"},"malicious":1,"positives":"25","total":"125","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T06:49:34.761Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 7 engines detected this file","id":"3063","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"458b79bd734efe04df75c66135f37c46f093f08c","file":"/root/super-script","alert_id":"4128880443.9213880","md5":"a6c03e8d5183d080607c4fb4bf9d3f44"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T14:29:06.833Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 13 engines detected this file","id":"3685","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"985590f10a1ba139c1a56689b9bd9958fd1b5f80","file":"/usr/share/sample/program","alert_id":"4049630946.6689499","md5":"a5f38b428f22ed6ce535bd2bdcd90be1"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T05:52:36.090Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 5 engines detected this file","id":"2787","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3419574a3dbfeb5c0f5d051e71ee6ace2a7fbfbf","file":"/etc/data/file","alert_id":"4165059822.8814097","md5":"6cfb10ba52f1f71ee18e7482d8058efa"},"malicious":1,"positives":"5","total":"15","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-06T18:56:09.978Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 56 engines detected this file","id":"2001","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a07eeca5f054fcfdcf21b933b654379bd9cf712c","file":"/etc/sample/script","alert_id":"8162138159.9516392","md5":"a7073c1bf50a8b7c940730f2a1c65f87"},"malicious":0,"positives":"56","total":"056","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-02T17:12:28.684Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 47 engines detected this file","id":"4001","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6337abb58fc29ca6c3a06c22989cf9a39e29217d","file":"/etc/data/file","alert_id":"8275779461.1943472","md5":"e48f4d6da9efa86a66c99825028779e3"},"malicious":1,"positives":"47","total":"147","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-05T15:52:37.282Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /usr/share/sample/program - 23 engines detected this file","id":"5309","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c62daa626a810864f7f65f8a0cba76ecb47f7bd9","file":"/usr/share/sample/program","alert_id":"4479278800.7739027","md5":"dea5c9fd4150df3e0058a873632eeac1"},"malicious":1,"positives":"23","total":"123","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-05T01:59:41.855Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 30 engines detected this file","id":"3957","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cac7ab5444ad1ab59d51884bbbfc91fe32ee9aa5","file":"/tmp/virus/notavirus","alert_id":"6847965261.0115907","md5":"d38a808ae06f76793056c3e15754a338"},"malicious":1,"positives":"30","total":"130","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T01:10:12.091Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/sample/script - 19 engines detected this file","id":"4095","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"866b1b167ecbd095f1800f1d79640ba5f4cc7d64","file":"/etc/sample/script","alert_id":"9444408137.2157683","md5":"878ad98e87bfaa0c0637a79cd26423a4"},"malicious":0,"positives":"19","total":"019","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-02T04:36:27.183Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 61 engines detected this file","id":"3958","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5f4b059caf77d43416031484d3572d33eef279b8","file":"/root/super-script","alert_id":"4287032413.4659468","md5":"e62020317deaff24637e4bb67116b536"},"malicious":1,"positives":"61","total":"161","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T15:10:34.093Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4893","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f48325fe817f9282bad70d8d6e67107531daf607","file":"/usr/share/sample/program","alert_id":"4234004949.7104329","md5":"2dee951de2dc137a36e18a2f47aaf054"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"252","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"669ec7075bdfd2c6200ec3d8c1baea761754959a","file":"/etc/data/file","alert_id":"8103019262.0015841","md5":"d8686d573f278f40a428af969acb30d8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2719","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"954956a62cc0a454f716bf06f10b060c519ed1af","file":"/root/super-script","alert_id":"9197653568.0080363","md5":"62751ebb479482ab51d59ca477843e61"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 1 engines detected this file","id":"1683","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"50ad4d99fc887b99f86a9b53a1b1bc083f8b9faa","file":"/etc/sample/script","alert_id":"7149512056.9364527","md5":"e68ce167d657bdbac21eac15c6004aa7"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-01T23:45:55.552Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/data/file - 6 engines detected this file","id":"2387","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dff4277442cff4204c3ec78e2fca6f6903189079","file":"/etc/data/file","alert_id":"0523070059.4776734","md5":"65c710ff700faa5059a146d6ae81c89c"},"malicious":1,"positives":"6","total":"16","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T10:14:28.480Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 9 engines detected this file","id":"4678","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"31d04660985e97f836abeeea93e72cfde6ffddd6","file":"/usr/share/sample/program","alert_id":"1816394802.3934950","md5":"e7ccdc90dfb9ed90cf9317d17dc580aa"},"malicious":0,"positives":"9","total":"09","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T16:16:11.400Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /usr/share/sample/program - 7 engines detected this file","id":"3814","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"13248e28d88e1634daa83ee312cea9bbc5704363","file":"/usr/share/sample/program","alert_id":"8431783911.3820411","md5":"23747210fbbfcdfc89a1f140cd388efd"},"malicious":0,"positives":"7","total":"07","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T13:19:10.478Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3466","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b80bf4543b9a53247eee8b57c6487b71fe972e64","file":"/etc/sample/script","alert_id":"1564383447.1323309","md5":"8e3b3ef43f393008cdf62a4b526b9163"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /usr/share/sample/program - 19 engines detected this file","id":"1928","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a5c00d30cad8662eab2bb2673474ea5bbec76c49","file":"/usr/share/sample/program","alert_id":"7204118522.5487174","md5":"a82546c5a63a3e77574ced5bc71bd8ac"},"malicious":1,"positives":"19","total":"119","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T01:11:06.390Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/data/file - 54 engines detected this file","id":"3818","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3acb0604fe9bdfaf9c12c7e0643d46380ee6ba93","file":"/etc/data/file","alert_id":"1105984073.3605112","md5":"5db913141dc4ef2d994ded5734c548c1"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T15:14:16.775Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/sample/script - 16 engines detected this file","id":"2009","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e0ba562290455f8cff3e82888d2c4c6dc71c0d36","file":"/etc/sample/script","alert_id":"9299384778.8262206","md5":"6b86ffec5d0d2500f3f9fe68085d209f"},"malicious":1,"positives":"16","total":"116","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-05T12:48:26.291Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 8 engines detected this file","id":"1138","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1b64553660780da50ab046cbfc86941eec86e4d7","file":"/root/super-script","alert_id":"0510617152.0387480","md5":"7ea3b12e9719b3620b6a0e7726ad82ed"},"malicious":1,"positives":"8","total":"18","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-01T17:29:25.515Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3970","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d8da83419884e8ecfd90d0c97eba05910edaed6b","file":"/usr/share/sample/program","alert_id":"9362846788.1215624","md5":"4f31bac47dd0f19a49150995b2c9e3a4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /var/opt/amazing-file - 31 engines detected this file","id":"2040","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"47cffe13b281d4d90ac42a453bf7ee3099e02364","file":"/var/opt/amazing-file","alert_id":"2843393860.2747152","md5":"56907d13cac324987ec386409038c6e4"},"malicious":0,"positives":"31","total":"031","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-01T20:23:02.339Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /usr/share/sample/program - 33 engines detected this file","id":"136","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1888bb5d641608cfeefa9e124636d699b10fff0f","file":"/usr/share/sample/program","alert_id":"9287060085.1117581","md5":"8a0f144e4479b283f3fe829ef7ff59ea"},"malicious":0,"positives":"33","total":"033","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T13:03:05.708Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 29 engines detected this file","id":"1813","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f40d90c7788826170650c214e32f36f8006de8a2","file":"/root/super-script","alert_id":"5248884479.0320818","md5":"15b4988b33757be5681d6e84a50f18f4"},"malicious":0,"positives":"29","total":"029","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-08T05:59:19.104Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 2 engines detected this file","id":"1713","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2113e3f088b41f3ff3c47bed29ee63921a779164","file":"/etc/sample/script","alert_id":"2919840228.8015960","md5":"febeeba92f5b504d1639415b377da5ac"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T21:11:10.183Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /var/opt/amazing-file - 6 engines detected this file","id":"4818","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"537df9b1bb987c24bc744531d5cb1ba76df8b35f","file":"/var/opt/amazing-file","alert_id":"5352117923.2412080","md5":"9aaf718fead4d1ce8ef396c3aa3d091d"},"malicious":0,"positives":"6","total":"06","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T23:34:21.079Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 10 engines detected this file","id":"1146","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7dac6cd5463dfee458e0a6c7e45c9c81222a36c4","file":"/root/super-script","alert_id":"8789707713.4269617","md5":"7c17f8a46e9778f55cf22623fe4deebf"},"malicious":0,"positives":"10","total":"010","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T15:54:49.775Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /usr/share/sample/program - 48 engines detected this file","id":"2738","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"373ea0400b282a44d326aca0a745030fc2aecd90","file":"/usr/share/sample/program","alert_id":"0940170251.4708401","md5":"d736741595f1e575ee145577f7149cf8"},"malicious":0,"positives":"48","total":"048","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T09:51:45.820Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /var/opt/amazing-file - 57 engines detected this file","id":"4161","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3add5071e93d374b04077278b29897e9cab6e734","file":"/var/opt/amazing-file","alert_id":"3602230248.5655054","md5":"4c07fe7072a16de1e906a4ba6637e8a6"},"malicious":0,"positives":"57","total":"057","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T02:33:33.433Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5234","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a603d795def5b5ff043242c3341c7eec81b11b81","file":"/usr/share/sample/program","alert_id":"5682491658.7049736","md5":"aa7523b1b9a5ec9bda4f17fd7797b2b1"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/sample/script - 38 engines detected this file","id":"692","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bf3a890557d20b3f0ae937bc51a2390563788519","file":"/etc/sample/script","alert_id":"6806789589.1912741","md5":"78a07dc7fac7840e1ed314dd42f009b6"},"malicious":1,"positives":"38","total":"138","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T04:51:11.402Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5179","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"663274c964c215b1ce89558378995ed332404267","file":"/tmp/virus/notavirus","alert_id":"1623067120.6065729","md5":"58f7aff2d8fc6364eecb92bd3e1b2a9a"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1850","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7959ccdb55b4ec5001c0a7382a646cd246d1cc74","file":"/etc/sample/script","alert_id":"4186282137.5682820","md5":"b50869e9ace2b87b71bd83bd96dd7d86"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/sample/script - 15 engines detected this file","id":"4202","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ebacc53a50585da94b9e882708dafdcf49683d43","file":"/etc/sample/script","alert_id":"4075483353.1910913","md5":"b36a3868f67e48e8c83631bd81792136"},"malicious":1,"positives":"15","total":"115","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T10:37:46.157Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /var/opt/amazing-file - 49 engines detected this file","id":"3904","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ec97d25824e7fa58afb78b8af56fc8aa155a504e","file":"/var/opt/amazing-file","alert_id":"2971355954.3239710","md5":"5d398d01df38a8d704b4b4d3db234d70"},"malicious":0,"positives":"49","total":"049","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T04:18:35.433Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 9 engines detected this file","id":"1206","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"24ddd51e6771005c52c5ee50132058ca660ab7fc","file":"/etc/data/file","alert_id":"6204503884.0728911","md5":"e3e24d4cb516979eb407a8656722f2f9"},"malicious":0,"positives":"9","total":"09","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T02:36:22.194Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /usr/share/sample/program - 55 engines detected this file","id":"4454","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9c73b92b5dc887aa4a4e3504187e5bec752095a5","file":"/usr/share/sample/program","alert_id":"8482368106.7579195","md5":"5cd8108f515939d2d9a385c531d6725f"},"malicious":1,"positives":"55","total":"155","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T05:41:58.855Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2457","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"4fdf52f0bf605f37e678cdc65ede87970a1132da","file":"/tmp/virus/notavirus","alert_id":"7856682615.5992261","md5":"5756bab30d1b380b649d54b274f63b6e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 15 engines detected this file","id":"3893","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"05a74369886ca3f2ac59b280b0e66e65f8cabe39","file":"/etc/sample/script","alert_id":"2299461055.5249449","md5":"3cb9b79c010fde0f5f1ba39254cd180a"},"malicious":1,"positives":"15","total":"115","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T19:11:00.355Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 62 engines detected this file","id":"238","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cc2ccf01592e1168ae0a7390faa1cc4cbe2d56dc","file":"/etc/data/file","alert_id":"4819553071.3218613","md5":"2346d022099b99feb2c8e6375999e662"},"malicious":0,"positives":"62","total":"062","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T00:14:43.797Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /root/super-script - 8 engines detected this file","id":"1860","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4f4c2ac47fa5d72f4cde7f159c33afd4f1cd15a5","file":"/root/super-script","alert_id":"0276344795.9822580","md5":"2660b2c4218407442d5b360f2f468ef7"},"malicious":0,"positives":"8","total":"08","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T14:48:19.662Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 44 engines detected this file","id":"435","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"817fee77d86e85cfc4d4e7b5eba388f8d40f9c33","file":"/root/super-script","alert_id":"0395388219.2763802","md5":"db476523bfa8a532e2c2aeb5394e39fe"},"malicious":1,"positives":"44","total":"144","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T13:36:18.556Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/sample/script - 53 engines detected this file","id":"174","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"722bf1b219e6eefa81dc385455b3d95633cce108","file":"/etc/sample/script","alert_id":"5468989146.6930778","md5":"2678ee602a34af7895018e06d9f68d95"},"malicious":1,"positives":"53","total":"153","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T17:59:18.890Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 48 engines detected this file","id":"3675","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b9112a1dbb7988e581ae458b86a3670c1c4f63d5","file":"/etc/sample/script","alert_id":"3232556793.8019475","md5":"9f93e27ecf7c2bc1e62764ff9c9861c3"},"malicious":0,"positives":"48","total":"048","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T21:19:29.763Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 51 engines detected this file","id":"4090","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"13abc50a4736f476ccbb0e81bd255e2f5100a736","file":"/root/super-script","alert_id":"4981704480.3035603","md5":"93f028f342d35632785e7cbea188b1ce"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T14:25:47.500Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 14 engines detected this file","id":"2915","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"215991f514d5600db26dbdf28dfa2c4cd3050543","file":"/etc/data/file","alert_id":"8489947247.9320210","md5":"af989a1d51c8e2c64e4b431d8035710f"},"malicious":1,"positives":"14","total":"114","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-07T11:52:25.360Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /root/super-script - 4 engines detected this file","id":"5064","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"930ac58f20a8ea51b8fb9f5d22933eacd66a3f47","file":"/root/super-script","alert_id":"1912623429.1049057","md5":"d4fa52c53b0e5a50af37fd8333fcf2c9"},"malicious":0,"positives":"4","total":"04","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T13:52:33.314Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 45 engines detected this file","id":"865","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"af538c7b7744f06b20c3e08a5d2eed5c9f42b262","file":"/tmp/virus/notavirus","alert_id":"0363869057.5078445","md5":"6913055ded5d601c8ca65a2e6a62622e"},"malicious":1,"positives":"45","total":"145","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T06:21:19.201Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 54 engines detected this file","id":"844","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8db5ea8a278f81942587e6fbe5ac9bae91c83c9e","file":"/tmp/virus/notavirus","alert_id":"0662733114.3355881","md5":"d4b4ed96ee2a9329b12c55110c840085"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-01T17:06:11.710Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4060","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"57442722d0c36a9d5f4792f2341c78e4f489560f","file":"/root/super-script","alert_id":"8224700879.2128669","md5":"0f31a70e20de3745c29589e6c395c60f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 40 engines detected this file","id":"4312","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4e7e2ed216a38a4741e8600fd981156128b709f0","file":"/usr/share/sample/program","alert_id":"8698908838.1136994","md5":"137caecab37f1bf4bebfa11a4c1adcc6"},"malicious":0,"positives":"40","total":"040","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T01:42:09.681Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/data/file - 63 engines detected this file","id":"5285","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6778a3c4fde6b51c88d20bcf0445546928127d24","file":"/etc/data/file","alert_id":"3010660841.4119526","md5":"e40856a50d7d4e483728c467a13a300e"},"malicious":1,"positives":"63","total":"163","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T03:25:14.590Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3521","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a137234155081ae7a2b782a40062d7d057661c8f","file":"/etc/sample/script","alert_id":"6089466877.1251010","md5":"99e66fd97a9b461e3129def800197bac"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 62 engines detected this file","id":"3499","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"25c917c8a72195e287783c3b67dd02c6a44f633f","file":"/root/super-script","alert_id":"9000526474.2888250","md5":"b8ea34efa7e402577da0d66865430a0d"},"malicious":0,"positives":"62","total":"062","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T11:46:21.518Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 19 engines detected this file","id":"1065","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8119b6e6137cf997f70a1fd66b373bf9ab2d9acb","file":"/etc/data/file","alert_id":"2994632634.0531566","md5":"286adfae928e83f6ee6bc2060787bc93"},"malicious":0,"positives":"19","total":"019","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T17:05:49.748Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 27 engines detected this file","id":"3752","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4a992f5bcb7fe09b79f97a13c745a76421f0157a","file":"/root/super-script","alert_id":"0342670212.1966899","md5":"acc265ee99df15126c3f3f340dd03637"},"malicious":0,"positives":"27","total":"027","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T08:03:19.934Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2567","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0c2d83efda4c1a11e66ad3804fa73feea1d621b7","file":"/usr/share/sample/program","alert_id":"1462983483.5715249","md5":"be8762fafc47661a41641ee51094ccb5"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4399","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0b5f93528520046416ecdf76eb0057a368256134","file":"/usr/share/sample/program","alert_id":"9059936302.6117596","md5":"85784a0db6443171cd10d058356c0cbb"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 29 engines detected this file","id":"5946","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ed8e9abcc48ea6b69ce8235ea88139133a9111f2","file":"/tmp/virus/notavirus","alert_id":"9805711181.1266619","md5":"3cbadc6f6fb6e83c02f14abff5a32a0a"},"malicious":1,"positives":"29","total":"129","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T12:10:54.766Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 26 engines detected this file","id":"4277","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"eee625e0dfaaa57d69e090b4e35c292724504358","file":"/etc/sample/script","alert_id":"2218482470.1216928","md5":"8204faad366e35b58a983df4ee82ddef"},"malicious":1,"positives":"26","total":"126","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T05:27:16.699Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4303","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6cc1abaaa8fd656cfd09b6de2415af32a088d882","file":"/root/super-script","alert_id":"3617800447.6837645","md5":"aec069fb0e06518710e995f55032fac4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 13 engines detected this file","id":"5028","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ea8419188fd76db978709c1bbdf3b7568b382ba2","file":"/root/super-script","alert_id":"5842224006.7748504","md5":"f82ce92c65c198d59c0d80f57d5bfa29"},"malicious":0,"positives":"13","total":"013","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-02T09:52:15.385Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /root/super-script - 2 engines detected this file","id":"2255","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"fc84f2817cc9720bfe4f6daa495447cda05a353c","file":"/root/super-script","alert_id":"6507792601.8352009","md5":"297f0e866b56ada38b96c364ec2a90d3"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-04T06:00:41.269Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"914","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"85808efe30906a83f340cc7fb6a3f90496b5fb5d","file":"/root/super-script","alert_id":"5587367933.0276298","md5":"f3c0e798a432c360d87d5c3209450939"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 14 engines detected this file","id":"4669","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0010d24cad8221f90d1b99ef7fb1410fd4e024a3","file":"/root/super-script","alert_id":"3604496042.5137103","md5":"f532b1ae404315dfd366c34beff027b5"},"malicious":0,"positives":"14","total":"014","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-08T00:57:10.127Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 35 engines detected this file","id":"2393","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1c610bddbcb2be97c1f9750aada8e32f136a32e3","file":"/tmp/virus/notavirus","alert_id":"9540311929.4937733","md5":"d3188e1e15e2c07e6ef3498edbf7cfb9"},"malicious":1,"positives":"35","total":"135","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T08:21:48.214Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 31 engines detected this file","id":"514","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"60319c2acb2300518ea929fde21509553e5b24fb","file":"/root/super-script","alert_id":"2677452214.0565116","md5":"80f7178413a3933bdee876857baa923a"},"malicious":1,"positives":"31","total":"131","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-03T05:13:13.588Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /var/opt/amazing-file - 46 engines detected this file","id":"227","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3f2454d1cefe20eda750a077d08fa78d226449cd","file":"/var/opt/amazing-file","alert_id":"5312768587.2828671","md5":"8383ef2c1da0a41de71909529e89e425"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-05T04:35:47.953Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3286","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7674cebd3393204f35a003264faa401ca5d126bf","file":"/tmp/virus/notavirus","alert_id":"8058965459.7315379","md5":"8068da918add16cc8225ab5176ca7dc2"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 51 engines detected this file","id":"5301","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"26d6300346991bb95327a726216cf3e0d0b1a278","file":"/root/super-script","alert_id":"4769456086.2035521","md5":"cb6fa701ae1c219a070e57c6724acd62"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T12:24:58.037Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 4 engines detected this file","id":"5451","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d1f9b962d5179659763567ae91314db4bb1d9491","file":"/etc/sample/script","alert_id":"8390591921.4166025","md5":"bdd404ce39c4c7154bb3bfa43e435754"},"malicious":0,"positives":"4","total":"04","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-04T18:28:10.587Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/data/file - 33 engines detected this file","id":"2955","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7a2939de0f21eef6455d9e61e9eae1179872628d","file":"/etc/data/file","alert_id":"3377275853.0940595","md5":"8b29ac8c9a1147c2e046aafc90d9de20"},"malicious":0,"positives":"33","total":"033","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T01:48:35.333Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 39 engines detected this file","id":"372","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b86ac54b54daa90bda08d5ff03a04e965fcdd63a","file":"/root/super-script","alert_id":"7076381946.1409370","md5":"38883af906410af04656f7c198d329c1"},"malicious":1,"positives":"39","total":"139","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T05:52:03.362Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/data/file - 65 engines detected this file","id":"2590","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"984901ae006fe8a57f0cb147cce6589f14990003","file":"/etc/data/file","alert_id":"0494012738.5499682","md5":"b1f257e5ccf04392e5615df2859361ab"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T12:14:45.517Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /usr/share/sample/program - 60 engines detected this file","id":"5001","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c4046bf6408811ddc96ea958f13f49ffca808624","file":"/usr/share/sample/program","alert_id":"4193538372.3669346","md5":"5bcfaea9a0f33e1e3bb19fd6927900dc"},"malicious":0,"positives":"60","total":"060","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T17:57:12.316Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 9 engines detected this file","id":"4032","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6b745baf04f909ec5f8e9c41ff49684f993aeeb8","file":"/etc/data/file","alert_id":"1244720894.5114026","md5":"44e6c20380f0603b34fa0fe16c784c38"},"malicious":0,"positives":"9","total":"09","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-01T20:42:44.499Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 17 engines detected this file","id":"520","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"80430d9f9c9f9441ec942da7582974035a756c07","file":"/root/super-script","alert_id":"2625940315.7539954","md5":"a65c95054998a7ecce78ed83dbe184c5"},"malicious":1,"positives":"17","total":"117","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-06T12:56:19.221Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4007","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0893d0afade896393113be4ee1c786d97fa0becc","file":"/tmp/virus/notavirus","alert_id":"5165919285.7662683","md5":"50123b4fb8ffe4b1056ee885e97d8d7c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2499","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"01ecd3d62a221b1f162859e6adcc1a86ddc681f4","file":"/usr/share/sample/program","alert_id":"0743829855.6710174","md5":"e3b9760f9a188e3e3be66ae619ab35c0"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 14 engines detected this file","id":"4214","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f2823806484027a9b07f5884a7ac95d5c21f043d","file":"/tmp/virus/notavirus","alert_id":"4882377049.4850348","md5":"3a908b0b8c5ebae8f02ee97290cccf8e"},"malicious":1,"positives":"14","total":"114","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-01T15:51:14.357Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 39 engines detected this file","id":"3898","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"318f1a19a9084222532eb4accaff2ebf5af9dc9e","file":"/tmp/virus/notavirus","alert_id":"2536609882.5213861","md5":"7843714c30786ad25f356522a9ebb8d9"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T09:42:28.929Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"565","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"df0b52108b5296888df88bf2a5cbd602767049ea","file":"/usr/share/sample/program","alert_id":"9713600691.7081073","md5":"0bd8ac3c5c9f3087677a1e1b04f7b9c8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3879","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d1711b2cf6daaa61ef6317ab1bce37621a91271f","file":"/usr/share/sample/program","alert_id":"7424589285.0050373","md5":"1919dd80f19789e32c2f3e3989259639"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 4 engines detected this file","id":"5399","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c0c869a66c69554e79d55cf0a15866c32ea15530","file":"/etc/data/file","alert_id":"1028737867.9755830","md5":"cfa36472b86b8aa4e4426a34e9974b1d"},"malicious":1,"positives":"4","total":"14","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T06:37:31.270Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 0 engines detected this file","id":"24","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6f43b4c99ed11fac06d9dab48baf78480673fe8a","file":"/etc/sample/script","alert_id":"8213392514.0110801","md5":"f313d9c00e6dc630821f2211a6ab030f"},"malicious":1,"positives":"0","total":"10","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T21:04:59.784Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /root/super-script - 11 engines detected this file","id":"5131","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9f8bf7345d21183ea21d6bb5d0818e7a5f6b294d","file":"/root/super-script","alert_id":"9144461980.4127357","md5":"43c611aa5d0b1387283c43809b9a95cb"},"malicious":0,"positives":"11","total":"011","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T00:46:32.027Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 61 engines detected this file","id":"2175","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1e3b081384a9cf350aa780f1a43b83237ebe677d","file":"/tmp/virus/notavirus","alert_id":"3883193870.8401866","md5":"852607e3c305432aedde446c4adbaf9f"},"malicious":0,"positives":"61","total":"061","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T20:12:37.452Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 57 engines detected this file","id":"5807","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c97a8230346083804d161939d5c06443e8c488d9","file":"/tmp/virus/notavirus","alert_id":"7940979049.2317077","md5":"f3f2195a478493a351c2ae8e03666707"},"malicious":1,"positives":"57","total":"157","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T01:33:08.707Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4333","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"c27c3f8365675946b06fced090d7dafad38eb3e6","file":"/etc/data/file","alert_id":"4854795435.0149773","md5":"7e9e1743292261ec8c5782cbbb61ec4d"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 48 engines detected this file","id":"2963","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c116a244201249fad60c364da6a4359c405201cc","file":"/etc/data/file","alert_id":"4670305513.5708990","md5":"b62c7177d780e43f3edcd4810037d1cb"},"malicious":1,"positives":"48","total":"148","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-04T06:20:17.602Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 39 engines detected this file","id":"2548","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5e55bbdf27969ae3503dd62885c7f40d4fef0e31","file":"/etc/data/file","alert_id":"8346373919.9542044","md5":"54f499b690371a7a3f39454b5d312119"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-02T15:56:08.406Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 2 engines detected this file","id":"5244","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"099ee095cbab62a1035a3851b4317aa38ebf5e89","file":"/etc/sample/script","alert_id":"8962143712.1479513","md5":"f1a55d0a4aef06dbfe8bd2ba62b7ae19"},"malicious":0,"positives":"2","total":"02","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-08T11:36:28.731Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2853","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6338803379b1d29fcb3564982ccf05815a935703","file":"/etc/data/file","alert_id":"6136255326.7329574","md5":"4d6cb896ef8e176935b5d87e06caf6cf"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/data/file - 28 engines detected this file","id":"3599","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"57abea612d30e883a9e7ce286870a0ed04bce95b","file":"/etc/data/file","alert_id":"8547998310.0992125","md5":"c04d0225203ebbe8a919eb0524c3065e"},"malicious":0,"positives":"28","total":"028","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T05:00:35.927Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /usr/share/sample/program - 6 engines detected this file","id":"3377","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a163ec4fe3908c0dc64d598cabf7dd9f25edc3c3","file":"/usr/share/sample/program","alert_id":"6891857536.2102433","md5":"b43bccf9c14722daffd113c304cb9e3b"},"malicious":1,"positives":"6","total":"16","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T12:46:28.517Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /usr/share/sample/program - 30 engines detected this file","id":"2891","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"fffc4eb2d164c4c8171a649bfd4f9b51d1fa6077","file":"/usr/share/sample/program","alert_id":"7057009751.3937710","md5":"681074f5670af275face046fa7d5e464"},"malicious":1,"positives":"30","total":"130","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-08T06:53:19.544Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/sample/script - 58 engines detected this file","id":"3177","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6a45ae06e3b534a3cdfed0dbb40398c8561c7279","file":"/etc/sample/script","alert_id":"9045073767.5901357","md5":"dd5afe6260534be5d4d5540083377592"},"malicious":1,"positives":"58","total":"158","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T14:52:15.903Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 39 engines detected this file","id":"4452","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f267e63a071962df7e5aa3f25e2722da069db12c","file":"/etc/data/file","alert_id":"1711567777.1667164","md5":"5b389395c826cab686a3ee0e230fdc0c"},"malicious":1,"positives":"39","total":"139","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T14:35:36.482Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1935","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6b95daa08deb97b4ebcde5d0016dc973171b4eba","file":"/etc/sample/script","alert_id":"6407246140.5266283","md5":"74dd946c2f542eeb57b5503f81200251"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /usr/share/sample/program - 55 engines detected this file","id":"5544","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"92f7c4f502e1e5b68d4d98b8c6a3dbe41bf40699","file":"/usr/share/sample/program","alert_id":"9581645189.9422930","md5":"1601a153ab65582e06bc2763450d0f26"},"malicious":1,"positives":"55","total":"155","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T08:37:50.125Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 1 engines detected this file","id":"5671","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"535a21821f4f0a58d781339a7c38050f84a457e3","file":"/tmp/virus/notavirus","alert_id":"5760025982.1983357","md5":"87b17c8b4bb776aedbd567112c696813"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-01T19:31:49.236Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 36 engines detected this file","id":"1182","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"aa47bff99a75a4ceaba4acee260edb97b3b80018","file":"/tmp/virus/notavirus","alert_id":"4415265129.8724733","md5":"c9a45ffb382b5cbd975c22ae9f329e19"},"malicious":1,"positives":"36","total":"136","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T23:47:56.684Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 28 engines detected this file","id":"3665","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0803aea23e2813e1b5081df32304b89a017f497b","file":"/root/super-script","alert_id":"7241672350.0827659","md5":"e92687cc2e8e6931b3877b7f600fdabf"},"malicious":0,"positives":"28","total":"028","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-08T11:06:18.993Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 49 engines detected this file","id":"1326","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b3f357ed711d078a6bdafeab4480aad70ca906f4","file":"/tmp/virus/notavirus","alert_id":"1935017188.5898959","md5":"0e000f71d9f0a6581a29368584237ca6"},"malicious":1,"positives":"49","total":"149","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-08T08:05:35.414Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /var/opt/amazing-file - 23 engines detected this file","id":"3731","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7329762b306ece63f19f1e8ebde9c690b320fddf","file":"/var/opt/amazing-file","alert_id":"3773133218.3859095","md5":"665c089b14320eb9642a5d07464d54e7"},"malicious":1,"positives":"23","total":"123","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T04:25:05.211Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5721","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f6ab56196bc72f7b5e5816eac555dfe0b6f6bfc2","file":"/root/super-script","alert_id":"6783578675.9605413","md5":"e2dc88a19cb7040c40f237f91775b4f9"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3319","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"671ec688eebb781ce48b1319411181a51e717f55","file":"/usr/share/sample/program","alert_id":"6220595416.6464872","md5":"aa6efb54b75d5ffc5d5b5272da98062e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /var/opt/amazing-file - 38 engines detected this file","id":"1159","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b41c0af72a456d2e126c3b3c0b78c8f6ca9c567c","file":"/var/opt/amazing-file","alert_id":"1878109176.5450497","md5":"47f1435425b9c21fb6500116e3cff396"},"malicious":0,"positives":"38","total":"038","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T18:10:15.628Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 5 engines detected this file","id":"4226","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"aa4fc903d6ba497dfbef7099d4bb4aadc134821b","file":"/tmp/virus/notavirus","alert_id":"7403633474.5673338","md5":"a9e10c5fc6e89a990deec4bd39dcd74c"},"malicious":0,"positives":"5","total":"05","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T13:24:04.885Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2488","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8c117c4333d6cc0e5ba52750d1888bd95e58122b","file":"/etc/sample/script","alert_id":"3683622894.6890990","md5":"51a2fb7aa48bc29f29f778958936184f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4523","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1da33094b54977afd0711c11b12d6d13d615b3fa","file":"/tmp/virus/notavirus","alert_id":"9579278608.5656702","md5":"7286c34e3c42dfc071db5a88feed97fa"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /usr/share/sample/program - 42 engines detected this file","id":"4129","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a4122bc27d403ff0e1967ceed0a9be518f7fda6d","file":"/usr/share/sample/program","alert_id":"6247693753.3506456","md5":"7d57e24712c606acc519c6d103c58d5b"},"malicious":0,"positives":"42","total":"042","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T08:56:25.536Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 7 engines detected this file","id":"5120","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f0649c2f752ced689fc446a2e4f84b148a4c8908","file":"/tmp/virus/notavirus","alert_id":"8147998304.2909103","md5":"a0491b44bf569295ec17701e7384ecf0"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-08T11:22:35.655Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2239","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"bbcbe10ee3d3d83935096b42d54f2075a77da1e4","file":"/usr/share/sample/program","alert_id":"7098707298.1751262","md5":"8b0ca852e26db84e3c156d14cf65b736"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 22 engines detected this file","id":"3177","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0146c6aa3cae65f2478cb74d2ea9c14112d09283","file":"/etc/data/file","alert_id":"0626658589.0442768","md5":"12bc8c0f3de24b5a74954ffcdfc551ff"},"malicious":0,"positives":"22","total":"022","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-02T01:38:16.737Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 59 engines detected this file","id":"5100","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"181471fe98bf879d3477130e3f3c178547314662","file":"/etc/data/file","alert_id":"3492376039.0366900","md5":"42a0a5bd0ab7275d00da777ac110d831"},"malicious":0,"positives":"59","total":"059","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T20:39:20.140Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 23 engines detected this file","id":"2143","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b59e294cef127bdff5caf5159f5b82cc6a22a776","file":"/root/super-script","alert_id":"8400063419.7602732","md5":"b644bc4edaaf49e0ba296999eb59c780"},"malicious":0,"positives":"23","total":"023","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-03T10:25:58.356Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /usr/share/sample/program - 54 engines detected this file","id":"4431","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4e47cbbabdbfbce544f78be61ed42636940f6b6a","file":"/usr/share/sample/program","alert_id":"9291166404.7930086","md5":"e75e57dfd2805379dff1e81474fd5c0d"},"malicious":1,"positives":"54","total":"154","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T22:15:16.535Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 25 engines detected this file","id":"2691","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"267cbf73c847b6920bc18db5957a82b1e969f0f2","file":"/root/super-script","alert_id":"4060441407.9506150","md5":"623f69259855e0354830adff93d3774a"},"malicious":1,"positives":"25","total":"125","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-08T11:12:44.038Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /var/opt/amazing-file - 59 engines detected this file","id":"5027","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3b678c6cbc0ca1c38067605bb8bcba66f8d7bd77","file":"/var/opt/amazing-file","alert_id":"8492054547.1548905","md5":"b044169ff031dcac817c580aa68e3066"},"malicious":1,"positives":"59","total":"159","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T09:10:06.869Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/sample/script - 40 engines detected this file","id":"4596","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3cc5db3fa0f0fbc424a0343c58ffb1713961e0e9","file":"/etc/sample/script","alert_id":"4448003976.0800645","md5":"a53f61de65394420fd76322be9f774aa"},"malicious":0,"positives":"40","total":"040","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-05T02:07:10.935Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 28 engines detected this file","id":"3222","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ce59b9ff9f03c6e9ae264801d92ec224cc2ab0a4","file":"/usr/share/sample/program","alert_id":"8962584534.0640025","md5":"5398a93391101bc6502f58ba2ae8b1a3"},"malicious":1,"positives":"28","total":"128","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T14:41:22.338Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/sample/script - 54 engines detected this file","id":"1171","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"158dfe52396df92c126317325dd2fde844e4a30f","file":"/etc/sample/script","alert_id":"6185213171.9052383","md5":"a9a457ae3efaecd4ce815c5f4069bfe1"},"malicious":1,"positives":"54","total":"154","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T06:04:04.497Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/data/file - 51 engines detected this file","id":"4637","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f087fcb8e721e8134f128e224ef8618764d5b16a","file":"/etc/data/file","alert_id":"1635951150.4352096","md5":"a6edfeb914c5bf298e9927fe19ab85d2"},"malicious":0,"positives":"51","total":"051","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T21:06:55.238Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2611","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"9fae7134cda6f6935c3af91b9cb3bfed007517c1","file":"/tmp/virus/notavirus","alert_id":"6719425954.8374342","md5":"a5f96394a8a60b3d3c6d28da9fd0b843"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 53 engines detected this file","id":"2065","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a9206272634a4cee24bc66cd0c45449f462c486e","file":"/etc/data/file","alert_id":"1468899728.4033009","md5":"6d47a76ac71fda295167f8f6eb69cd37"},"malicious":1,"positives":"53","total":"153","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T15:20:41.470Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2788","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7ec17325f4d0fbf967108d83dfe3afd1c17b8df0","file":"/etc/sample/script","alert_id":"3621379810.5054201","md5":"0eaf49681411e9d1d9df1d9b202e4797"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1074","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"96c7a0b0ec34cde0bad91373f4fb415ed5d3d7e3","file":"/etc/sample/script","alert_id":"6438306192.4329489","md5":"c2a2d86537728a573fb6ef84ed569e0b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1800","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"03a25c2b3082514ac9fc927394997efe0c544e72","file":"/etc/data/file","alert_id":"8270935126.5658725","md5":"b686b2069d71a8fe79b7cf277b78acf7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 46 engines detected this file","id":"5314","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cf74e9afac99b444a896811183ec0d99636bec03","file":"/tmp/virus/notavirus","alert_id":"4691465832.6032064","md5":"757a1f4ac8f7c281f698e6432beceb7f"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-03T07:21:19.042Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /usr/share/sample/program - 14 engines detected this file","id":"178","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c27ea42be1e7a73aa69e55ca15daedcc0e5741ba","file":"/usr/share/sample/program","alert_id":"0229029325.6037912","md5":"49a88e092e500e4fae66a4789d4d0ac7"},"malicious":0,"positives":"14","total":"014","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T11:42:32.593Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1177","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"93e991afcc96ca63aee4ace669cd8249b9b53d67","file":"/etc/sample/script","alert_id":"8206412825.0877750","md5":"367ea55acde9982461d35e1fd06d9513"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/data/file - 46 engines detected this file","id":"4826","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"443a313860abbce798218f9b9e4e37abb5787651","file":"/etc/data/file","alert_id":"5933426069.7751958","md5":"46588a8b820fff8800e28a0ecb37b7e3"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-04T13:52:36.889Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 14 engines detected this file","id":"4510","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8af1434c930155893f3ad529857f33a229f18f86","file":"/tmp/virus/notavirus","alert_id":"6793568739.3605303","md5":"ab9f998ef06d9cd7c65772eea033b524"},"malicious":1,"positives":"14","total":"114","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T23:58:15.115Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/data/file - 39 engines detected this file","id":"2401","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3d2c548c1741469a04b27a15e00f2e8074f4e134","file":"/etc/data/file","alert_id":"7259286571.2337740","md5":"a9a473ab9f4ede7588e431b81949859a"},"malicious":0,"positives":"39","total":"039","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-06T03:16:29.204Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2881","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"35a068f9a2c5ed35e6850ec67c45ec606b13b5f9","file":"/var/opt/amazing-file","alert_id":"0379511482.4966698","md5":"9b735bbdab97c0214a7a9ae19b243bed"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 61 engines detected this file","id":"2332","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6d520c390a8caff5da687c3788a34e9bcd7e6ad6","file":"/tmp/virus/notavirus","alert_id":"0833853417.3980341","md5":"a44771a3a40ecd17fb42b59c5e8b7dea"},"malicious":1,"positives":"61","total":"161","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T00:26:12.763Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /root/super-script - 14 engines detected this file","id":"1723","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7c8baf1e5f5298981b65e01e936e1fa8324c2b86","file":"/root/super-script","alert_id":"9691259625.7617642","md5":"50486f4395cc71fc8f35b018ab099926"},"malicious":1,"positives":"14","total":"114","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-06T22:25:48.462Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/sample/script - 4 engines detected this file","id":"3279","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b41571ccd60609d1558b5e2d6c4948b73b1563c2","file":"/etc/sample/script","alert_id":"3193076564.1731977","md5":"63e77fdbe1274f6ac09ada0ef28e9233"},"malicious":1,"positives":"4","total":"14","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T15:29:39.786Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /var/opt/amazing-file - 48 engines detected this file","id":"2664","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e629aaa9544ec0e48ebdeb11db16b9f8978be487","file":"/var/opt/amazing-file","alert_id":"3557783241.8905998","md5":"af188a22093c407fac0d9413aac685f7"},"malicious":1,"positives":"48","total":"148","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T16:07:01.204Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 23 engines detected this file","id":"21","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d2ab06e637607d18dbd64f70ebb924c4acf7caac","file":"/etc/data/file","alert_id":"9500634236.8936854","md5":"2a0da412f091ddd0b96c7bfe739b25e9"},"malicious":1,"positives":"23","total":"123","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T00:24:39.284Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /etc/data/file - 17 engines detected this file","id":"1290","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d92b8a9120187c641f12a76695ecf8d8a33775f8","file":"/etc/data/file","alert_id":"1070173126.9737496","md5":"03df9ee02421c4e38ef1781c1a034673"},"malicious":0,"positives":"17","total":"017","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T02:22:54.809Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2502","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a4887cf4ac100a4e3384d7c81e44c683841b347b","file":"/root/super-script","alert_id":"4439338677.0584314","md5":"8d909d38d21f8a3076d1417c4d2f3c37"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 30 engines detected this file","id":"4682","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"aec92689d6e288d84c54935e3e938ffc846eddae","file":"/tmp/virus/notavirus","alert_id":"5539215803.2824097","md5":"9c1b0cbdd0d4e2b9a411de0d17e0dc5e"},"malicious":0,"positives":"30","total":"030","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-06T08:04:50.953Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 62 engines detected this file","id":"456","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"26dc84b233d32736fbcbc16b770b459d7cdd8541","file":"/etc/sample/script","alert_id":"0588309778.7236800","md5":"ce55a35dbd3276ad9f157c450d9a4e90"},"malicious":1,"positives":"62","total":"162","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T15:15:58.794Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 58 engines detected this file","id":"2688","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a476fbbba156f3b4f77f155ac60c7cabc8996ef4","file":"/etc/data/file","alert_id":"5115232970.9887896","md5":"27845b30486bf6a427b389084b58c807"},"malicious":0,"positives":"58","total":"058","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T22:38:10.028Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/sample/script - 9 engines detected this file","id":"2136","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b9b456e9b2a8922be1ed236982b81ffc758e116d","file":"/etc/sample/script","alert_id":"8951294221.5022116","md5":"52cebc8edde9471773b566cf0e499be5"},"malicious":0,"positives":"9","total":"09","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-05T09:09:43.776Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 46 engines detected this file","id":"3116","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cb64715111142adc3cffe53a546308ed1086f8bd","file":"/var/opt/amazing-file","alert_id":"8702007061.2268489","md5":"b6d723c1d3aee14b1ba0c242b1cd26ce"},"malicious":0,"positives":"46","total":"046","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T21:53:54.300Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /usr/share/sample/program - 48 engines detected this file","id":"2127","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4aa0539a058688d980aeb13dc030cb083050ba8a","file":"/usr/share/sample/program","alert_id":"4326071861.3998920","md5":"d6a7b7724b5738b32a7873301beed8b1"},"malicious":1,"positives":"48","total":"148","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T05:54:10.659Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /usr/share/sample/program - 57 engines detected this file","id":"1306","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"fb5b2e780dead2d16c45e70176b07affc29ed5ee","file":"/usr/share/sample/program","alert_id":"5263861480.4500367","md5":"a4e01bb660a1ca5038d253aa2173a6cf"},"malicious":1,"positives":"57","total":"157","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T23:31:39.992Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3422","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"792e9441a0f8af60f85c9c74971dffab175696f8","file":"/usr/share/sample/program","alert_id":"3179230102.5892551","md5":"e79d34ae71525cdf018cd495941fcf3b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1671","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"cac10b1ac176e3f633d6bae097d2a079348a6e32","file":"/etc/data/file","alert_id":"9605864873.4401307","md5":"9b1aafc6efe6ee69c7f55c1d9323564f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 0 engines detected this file","id":"2550","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"05781572a7c9dbac7143446a0d725621a913bb17","file":"/tmp/virus/notavirus","alert_id":"8654762573.9214268","md5":"45d973fabd3711f603c14588c75b56c7"},"malicious":0,"positives":"0","total":"00","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T13:23:01.452Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /usr/share/sample/program - 58 engines detected this file","id":"4197","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6ad56aba30890b320ab4ab4653102b52e886d87b","file":"/usr/share/sample/program","alert_id":"8307255318.8728004","md5":"637e90f52e112ce5f7b55ca014865cd7"},"malicious":0,"positives":"58","total":"058","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-01T21:27:06.224Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3905","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"8abf473df66b817554fdcae9b93c3d6c4ea62120","file":"/var/opt/amazing-file","alert_id":"0755400147.6168939","md5":"e87da636d744036bb2ebbb581f161d1b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 8 engines detected this file","id":"1211","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"87eb782afbc812498a9cb6fade2750f86d3c22d9","file":"/tmp/virus/notavirus","alert_id":"9794134333.9632169","md5":"f399156f7ecfd7fd965555aa82e4ede0"},"malicious":0,"positives":"8","total":"08","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T09:04:11.639Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4763","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"74136d7f09b2b439c842cf2c9f84e5470c2c309e","file":"/etc/sample/script","alert_id":"5917143218.0847681","md5":"ccc9a55ba12ddc9e50daa6794b443674"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 59 engines detected this file","id":"553","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6a81215df68ccdf7143be70c53e7415835a96e0c","file":"/var/opt/amazing-file","alert_id":"1042101293.1223166","md5":"d8b19092dd4d8f98c36adaff71705a29"},"malicious":1,"positives":"59","total":"159","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-05T12:48:27.487Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 32 engines detected this file","id":"103","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f2b1d9067724245de7ca585dec4d4ceaf6b367a3","file":"/tmp/virus/notavirus","alert_id":"0612095251.9891571","md5":"70392986cf619e052309f94287288fd0"},"malicious":0,"positives":"32","total":"032","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T20:34:05.986Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 65 engines detected this file","id":"2639","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b3b41267b4d97facf7f0e8481491f3b1acd25492","file":"/usr/share/sample/program","alert_id":"0647409976.9354095","md5":"03773b7546cb210bc0ea6ebfde365534"},"malicious":1,"positives":"65","total":"165","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-08T00:36:42.838Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/sample/script - 37 engines detected this file","id":"2381","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b0d2459fdb2d3d3f7ec9bf34a4ac5baade50d73c","file":"/etc/sample/script","alert_id":"2871625318.0983833","md5":"426b927a1bb1f12748649dacc55cd80a"},"malicious":0,"positives":"37","total":"037","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T01:55:44.980Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /root/super-script - 64 engines detected this file","id":"925","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3a70ec479c380b099fe065ac381015f7c35561e8","file":"/root/super-script","alert_id":"1528733473.4919445","md5":"7d30157c98b59d20379357109f4fec52"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-02T15:46:30.983Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /usr/share/sample/program - 58 engines detected this file","id":"4363","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9ad43c4fffdb4c73db65074bc07108ecdc93d16e","file":"/usr/share/sample/program","alert_id":"7622188450.3795402","md5":"4d3133aa2d59e49889cea9ace27b63f2"},"malicious":1,"positives":"58","total":"158","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T17:23:36.542Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/data/file - 65 engines detected this file","id":"3046","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"decb37db1dc8a67e9ff4c24d254d3d0830e0ba4a","file":"/etc/data/file","alert_id":"1029371620.3677356","md5":"e5ad8a0ee1067d5b5aa6ca472ab1772d"},"malicious":1,"positives":"65","total":"165","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-07T13:56:23.365Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/sample/script - 48 engines detected this file","id":"1818","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"07c24d8d35609c401e0450065072d533c1929595","file":"/etc/sample/script","alert_id":"1812735612.1766191","md5":"025a3bc922eb78b1504463093516900d"},"malicious":0,"positives":"48","total":"048","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-01T16:45:30.724Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2291","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"e724855426e720229f1a18b9571b1f8c962e565a","file":"/var/opt/amazing-file","alert_id":"0779332990.3261076","md5":"c877b92a6ef294202f76b5a8fb2cffe8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /etc/sample/script - 20 engines detected this file","id":"2891","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"47d99585dbcca2d1a6a08f5bcd7ba7a508788b91","file":"/etc/sample/script","alert_id":"4226237331.4377013","md5":"2201b567f21e6542aa08ab1c249b58c3"},"malicious":1,"positives":"20","total":"120","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T05:41:30.498Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4023","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b1ae0c4a44c4024d96de1260617d3aa5064f44b0","file":"/tmp/virus/notavirus","alert_id":"2925490156.8488899","md5":"4911fd87fd138b7a7d0fda835ce79c10"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/sample/script - 29 engines detected this file","id":"4069","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e507ad1b802628bcf28c65a7a62781f79729514e","file":"/etc/sample/script","alert_id":"6154075746.2656109","md5":"6f734113a40e732a0910a06e610e9b2d"},"malicious":1,"positives":"29","total":"129","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-07T15:13:33.999Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 37 engines detected this file","id":"3412","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ae47acad61e5308339ceeacc5a125c240d495cac","file":"/root/super-script","alert_id":"5297248445.0388195","md5":"30c30491df050ec6c5d93167bd3e3cde"},"malicious":0,"positives":"37","total":"037","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T15:26:12.934Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 51 engines detected this file","id":"2799","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"6afe55231370e155249c19f0c2428e355de63e67","file":"/root/super-script","alert_id":"8692479470.4668072","md5":"fb5a51cfa3516e3b4c043df165334bb6"},"malicious":1,"positives":"51","total":"151","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T13:32:20.373Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 21 engines detected this file","id":"2420","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e84977aa8475a0fb2097010c5a486dee0a8b3280","file":"/root/super-script","alert_id":"0516121753.4917117","md5":"12e0a17afd9ba65f22abda3fe7a9bd6b"},"malicious":1,"positives":"21","total":"121","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-01T23:35:32.674Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1797","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"09a9bb24072786081a544f61566d39a351ac321e","file":"/etc/sample/script","alert_id":"4078161300.8921760","md5":"6604563c1ab53562877199da614ff8a0"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 17 engines detected this file","id":"77","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7c96e9778e3c3ab13f8ef2a3b9f9da60b767c194","file":"/tmp/virus/notavirus","alert_id":"0346895429.8318361","md5":"20e529d2bf1ad0fcb273a78e4eb91fee"},"malicious":0,"positives":"17","total":"017","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-08T02:58:04.149Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /root/super-script - 9 engines detected this file","id":"3693","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"36b4bc236e3365c86a8a19cd41fa4d7170b7c430","file":"/root/super-script","alert_id":"8152902749.1914235","md5":"2a7c81d3700410b8c38516439a005c8f"},"malicious":0,"positives":"9","total":"09","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-01T21:22:55.621Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 1 engines detected this file","id":"310","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c0b530fbe2a2936d332a38cfc325a91bc21826a6","file":"/root/super-script","alert_id":"1712154032.8339235","md5":"c8335abb85736a960bce833065722ea6"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-01T14:05:02.625Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 56 engines detected this file","id":"4583","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"58024a513725b5123dfc75dacb0b736b436a2b62","file":"/etc/data/file","alert_id":"9203618192.5237199","md5":"5c27414f4b1128c09cdd761ad4c70e07"},"malicious":1,"positives":"56","total":"156","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-05T07:56:29.898Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"774","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d371677a6f5a4ef82c19ee0283a08ff85f4cbf79","file":"/etc/sample/script","alert_id":"0179278878.1737892","md5":"f53cbd3e4b170157ed2b0edee614d68f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 5 engines detected this file","id":"5794","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d7febba93e09d982731d9fec6050ffdb4f184b02","file":"/etc/data/file","alert_id":"4997488104.6806924","md5":"7815f53f56e689d67f6f4eb8083e31f8"},"malicious":1,"positives":"5","total":"15","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T12:59:45.116Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 64 engines detected this file","id":"454","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8bff4b54d24e2f6900d24f8681777c8ae18a8e84","file":"/etc/sample/script","alert_id":"9302467868.7536231","md5":"dd17c267c9971caed12d64ae878794e4"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T09:11:05.464Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/sample/script - 8 engines detected this file","id":"4175","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"da43207b619dff3182d02b64977b923675f50f4a","file":"/etc/sample/script","alert_id":"5833375843.3411425","md5":"ca46ba475fe226eb343e756602a25fb6"},"malicious":1,"positives":"8","total":"18","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T12:03:09.333Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 42 engines detected this file","id":"5968","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"fde85d20c86a6434ec0c5a816dadaf3f2017bb26","file":"/etc/data/file","alert_id":"8589869475.5116254","md5":"10a5fcaa16821580d5dae685c1514329"},"malicious":0,"positives":"42","total":"042","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-02T22:00:38.072Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1810","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f73562388631512ab89e2dbd4373865fec6c781e","file":"/etc/sample/script","alert_id":"4387713138.7359532","md5":"dc0d2780722210380cc84a5f717f00f0"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4223","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"4394a24cf3852a516ec5db67e725b5cf9b75c975","file":"/etc/data/file","alert_id":"4714847639.3695204","md5":"fb3d83441042eaa67f3ca0c2e0a2cd38"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 4 engines detected this file","id":"2593","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0cc448527a0f37ab7f489b146ea57225e44c4768","file":"/etc/data/file","alert_id":"8172995802.8996393","md5":"d4837c639aaf06c5033e3c81363c0500"},"malicious":1,"positives":"4","total":"14","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T16:41:30.364Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4157","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"26c34cfa2deb6673c1401b73df40e41fb8518b0b","file":"/tmp/virus/notavirus","alert_id":"1476053935.0280369","md5":"b52feddac616efc6219bba9c78561d5e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /var/opt/amazing-file - 60 engines detected this file","id":"4645","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b8fe1b41a4276b5ffedc4ac86e9d5e889c0e6e56","file":"/var/opt/amazing-file","alert_id":"2692244520.6803136","md5":"e76e15aa87c5f92bbfa194cf77b9401f"},"malicious":1,"positives":"60","total":"160","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T04:58:39.860Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"469","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"6516701d0e00edd6ecebe5586784461d66daf66d","file":"/root/super-script","alert_id":"9751493670.7037412","md5":"4b49ad8732a174537850b1a469f0d598"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /var/opt/amazing-file - 29 engines detected this file","id":"1626","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dbd62bb52e98f392b5eedc89419b9e38f354e2c6","file":"/var/opt/amazing-file","alert_id":"7725001197.5920499","md5":"57b69a581217319f29bc71774ee918e1"},"malicious":0,"positives":"29","total":"029","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-05T16:25:08.720Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1977","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1d72bbaffcfb46c57a0de43915ada36f8ff4460d","file":"/etc/sample/script","alert_id":"0691332739.8908400","md5":"44e3dc012a9f2ebf7a8ff6c563dc69e6"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5261","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"9beb7941819c4d3f96c9e8faf51d6e290fbe0e48","file":"/etc/data/file","alert_id":"8581153169.9272848","md5":"71c8394830117cbe5e2364d10f40e883"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1819","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"25038b5d020dac14584daa3644547dc38847d5bc","file":"/etc/sample/script","alert_id":"9492214829.6235997","md5":"fa046549c5945b86bf94a2c6ec2f391f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /var/opt/amazing-file - 58 engines detected this file","id":"2814","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f96ed16f4bf07d103c2e508601f626cb8cd39dc1","file":"/var/opt/amazing-file","alert_id":"1533376153.5560130","md5":"8f1e576b0f206c76168c307ff1a84d0d"},"malicious":0,"positives":"58","total":"058","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T09:16:10.149Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4206","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"96315cc91adaaea0878e0d0eff2738106570ffda","file":"/etc/data/file","alert_id":"9648959452.5438813","md5":"a78e0d933d02092cf9d10408b16d63b3"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 44 engines detected this file","id":"3626","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"541f3a709ac08f9d5283ab018f69ce88eb9c728a","file":"/tmp/virus/notavirus","alert_id":"0628978092.3487550","md5":"27e933132ac9cf76eda2a11f86d48923"},"malicious":0,"positives":"44","total":"044","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T14:12:41.881Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 2 engines detected this file","id":"4941","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"38e22529a29f3ad5976a4c80c2d39db130d12121","file":"/etc/data/file","alert_id":"4852628883.8530075","md5":"ed1c0b9756e4f152f4e3990c20406a1c"},"malicious":1,"positives":"2","total":"12","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T04:12:58.359Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /var/opt/amazing-file - 21 engines detected this file","id":"313","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"0302dc5425a1e32badcbdd3036194de7c6138382","file":"/var/opt/amazing-file","alert_id":"3779546711.5426251","md5":"726e6f20b1fecc00fb5671d07850d773"},"malicious":1,"positives":"21","total":"121","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-07T17:27:59.342Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 33 engines detected this file","id":"1552","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"99ac927607def72095fc65681a040dc293792f14","file":"/etc/data/file","alert_id":"9596527993.2473010","md5":"90836214c25e6e7d700945c271197900"},"malicious":0,"positives":"33","total":"033","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T12:40:50.772Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/data/file - 4 engines detected this file","id":"198","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"097d819ea2e52f068382684f6558cd04b8372136","file":"/etc/data/file","alert_id":"8121063147.2871461","md5":"028a584c3ce716c47559613f917d4a65"},"malicious":0,"positives":"4","total":"04","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-04T12:37:37.791Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 30 engines detected this file","id":"2266","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ddf3e4c2ff2a551cb9c53429899dcc648c871521","file":"/root/super-script","alert_id":"4981772540.9453358","md5":"01d53e15f40a83700c2a94bce45efe76"},"malicious":1,"positives":"30","total":"130","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T23:17:29.595Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5017","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0daf6aab4cc1491c402adc19e089609d7c6b7098","file":"/var/opt/amazing-file","alert_id":"8318181178.0814742","md5":"cbafd3905a1aac6fef7bfd21fdb98946"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5351","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"83a5acafaab898286704bd27e29493e9acb2b765","file":"/root/super-script","alert_id":"8015610306.7937815","md5":"2041b76c1fd4be7192a00deae5a3cc83"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /var/opt/amazing-file - 30 engines detected this file","id":"3314","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4ea03de6570456d3f01a0847024e3496d78fa5b8","file":"/var/opt/amazing-file","alert_id":"4073135028.9221603","md5":"b4664cfe4d4a52e3a5ebcdaeba5f4e78"},"malicious":0,"positives":"30","total":"030","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-03T11:00:18.843Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 29 engines detected this file","id":"2770","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"518b95fedc75fc28308b22cd628b5899d6349d29","file":"/usr/share/sample/program","alert_id":"5721298171.6869439","md5":"a48809c955df24cac45574e7a0095089"},"malicious":1,"positives":"29","total":"129","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T05:16:36.340Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5019","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"583d7a928b6dffbc6836db5813e073a201856b44","file":"/etc/data/file","alert_id":"5738561940.0221359","md5":"b8d1453425cbee8037a25a03615c0aeb"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1278","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"7d1bd3908b2d73c2435d35de54991931338a3189","file":"/var/opt/amazing-file","alert_id":"2715624278.4066430","md5":"a5e0a509ad064fa3c2528893e788bb04"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1602","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"1235b0aae602d7ba0e43df6ccde9087935d28f32","file":"/etc/sample/script","alert_id":"6268096623.3260127","md5":"b7f050f7f56e671900d7ffeb446d3046"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1447","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"812fa6b0fec5568855a31ae9cf62793c89b3c5c0","file":"/usr/share/sample/program","alert_id":"6511858707.4504085","md5":"ae0fb946bc598875bad62f51a35ac3f7"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /var/opt/amazing-file - 17 engines detected this file","id":"4088","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c00db8cbfe6dbe1e04baf43768b13b4fc8db7780","file":"/var/opt/amazing-file","alert_id":"2633543279.5319991","md5":"0725af1797f28eadac542422641f9f51"},"malicious":0,"positives":"17","total":"017","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-01T21:37:54.369Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /etc/sample/script - 41 engines detected this file","id":"5350","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"33f507764ce91c8db13bf7030ce1df1511a0fae9","file":"/etc/sample/script","alert_id":"8304865290.4924291","md5":"ecab344ef468215992e7b1108eb4986c"},"malicious":1,"positives":"41","total":"141","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-08T09:21:02.169Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 45 engines detected this file","id":"4369","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b1ffa862a19f6cf63fe3ce18788e41d6d391c1e9","file":"/etc/sample/script","alert_id":"2482497703.5116305","md5":"64ab7881cbcb58e857cbe362c5336f37"},"malicious":0,"positives":"45","total":"045","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-06T15:17:29.097Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 43 engines detected this file","id":"1547","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"66b80e77dc66c64e4bd2fa920c479af322816653","file":"/tmp/virus/notavirus","alert_id":"7107567533.5813042","md5":"0814db05af377124e1811cf67dd5c705"},"malicious":1,"positives":"43","total":"143","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T13:59:08.994Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"1757","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a036fbdca9cfbed48eac290f1f72a9e047d3f7b6","file":"/tmp/virus/notavirus","alert_id":"8991631126.7155672","md5":"50397b31ff2ebcd4101105bec6c38eff"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 29 engines detected this file","id":"2344","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"8221fd61f9cee637706442ad647e7cd11714ccb8","file":"/tmp/virus/notavirus","alert_id":"8086005920.8105767","md5":"544e0d045a4f8a55bd377af0eb68c2b8"},"malicious":1,"positives":"29","total":"129","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-07T20:30:47.089Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/data/file - 18 engines detected this file","id":"1012","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"411381906c3c4eacd8cabea660a5b8851487f0ea","file":"/etc/data/file","alert_id":"3028280436.8743084","md5":"f7d0164ec0a79a13f0a36bb6d56417c7"},"malicious":1,"positives":"18","total":"118","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-04T11:12:11.873Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /var/opt/amazing-file - 53 engines detected this file","id":"319","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3dfeb2f29d6b5194da1eb3c2fb72835745bfbe57","file":"/var/opt/amazing-file","alert_id":"8622007974.2798902","md5":"bb1bd547e6c9a5f6d5407f0313efd426"},"malicious":1,"positives":"53","total":"153","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T06:11:23.034Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 42 engines detected this file","id":"1949","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e3e3ecc241c88a97a354117ed000ac59bf398596","file":"/root/super-script","alert_id":"1303010522.7276543","md5":"8ea0e54ab22a3fd15bd84b371bd0e0ea"},"malicious":1,"positives":"42","total":"142","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T13:40:36.776Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 6 engines detected this file","id":"2665","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2196c49510853ded315d6665215078f9e98c8895","file":"/etc/sample/script","alert_id":"0553471769.9813802","md5":"f436091e6241f1392876f4e97d49b764"},"malicious":1,"positives":"6","total":"16","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T00:06:33.322Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4038","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"a6a72dc926ec0adfefb6cfe01ebee579cd0447b5","file":"/root/super-script","alert_id":"7424276407.1328158","md5":"8269bebaa11402db9fceb3f00ae7dd46"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /var/opt/amazing-file - 40 engines detected this file","id":"5297","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c3d8e525ef18b3b6fe544675008db6923f5c3e7d","file":"/var/opt/amazing-file","alert_id":"7162155706.6430563","md5":"c431ede9fc3667a53ee2211d647cae5b"},"malicious":0,"positives":"40","total":"040","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-02T07:04:14.465Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 65 engines detected this file","id":"4965","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"a213864684133458c08b4555bb249e41d4c9363e","file":"/etc/data/file","alert_id":"8575233080.5490307","md5":"13402e22fcb4d08a6ff8e0e96c661dd8"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-06T04:07:35.778Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /root/super-script - 38 engines detected this file","id":"2342","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e31d52eb8c5f2c85893847f26f182d9e8f5378df","file":"/root/super-script","alert_id":"4523504121.4827918","md5":"d5323c11747c412da35ddbda3385bb6b"},"malicious":1,"positives":"38","total":"138","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T02:10:05.898Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - /root/super-script - 59 engines detected this file","id":"2586","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"20563c7fe490fd4cf21e0c50fffe9203d678caa3","file":"/root/super-script","alert_id":"4641946558.6059752","md5":"8c127d47e03379245043ec3c018d1bb5"},"malicious":1,"positives":"59","total":"159","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T19:12:55.965Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /root/super-script - 65 engines detected this file","id":"2596","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c192bae00bc700623620a3c7d7fc0998ed730748","file":"/root/super-script","alert_id":"2597521441.1005917","md5":"58295ff44eca315e91acb8249d373e48"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T02:04:52.148Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /root/super-script - 1 engines detected this file","id":"3427","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ff9486345cc588787b91d27e0c5f8dd1262803d0","file":"/root/super-script","alert_id":"9514530978.4553279","md5":"4da937e7ec8af75714e9521768b1cd53"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-07T01:29:44.129Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4704","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"aad20039a8c56dff1bc1ac42a7bbfbe0536f65a8","file":"/etc/sample/script","alert_id":"9201014238.7233693","md5":"603fff235215d139102e381738d82af4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"181","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"149b275814bc66c3e3666f991b8371ab918601a3","file":"/usr/share/sample/program","alert_id":"1592698797.9054428","md5":"1ccd0d6f427aa1b5d0953524f66ba79f"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 28 engines detected this file","id":"156","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e9b5e4c10c60d7d7105b0e3e4f17c0c731d93469","file":"/tmp/virus/notavirus","alert_id":"9958053020.5163184","md5":"9e117c240aa7738127a151468fadcfc4"},"malicious":0,"positives":"28","total":"028","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-03T17:01:23.409Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /root/super-script - 65 engines detected this file","id":"959","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"632fa4d8e29afa505fec93efdb0f22e8008673c4","file":"/root/super-script","alert_id":"3999754508.3766529","md5":"832189e8d354045addb873cd0d665419"},"malicious":0,"positives":"65","total":"065","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-01T19:21:11.325Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /root/super-script - 36 engines detected this file","id":"5788","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d608a22780384b66f679d3cf427d60629ca68f0c","file":"/root/super-script","alert_id":"6348114149.0405633","md5":"af6dbb3583ed59d6f36284697a110ec2"},"malicious":1,"positives":"36","total":"136","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T09:46:05.122Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /usr/share/sample/program - 23 engines detected this file","id":"4131","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c8808eb02a9c39c974224acb5591fa57bffc9e3c","file":"/usr/share/sample/program","alert_id":"8710715277.7602457","md5":"3a241abd431460933d576e26bce2ce05"},"malicious":1,"positives":"23","total":"123","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T19:45:36.525Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /var/opt/amazing-file - 48 engines detected this file","id":"4387","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c4ddf2f520824050a3ddcc6dd45932560c65ca00","file":"/var/opt/amazing-file","alert_id":"4743200274.7868051","md5":"45d233e230b6f478aa5cfd6182ee7f13"},"malicious":1,"positives":"48","total":"148","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-07T00:26:13.343Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /etc/sample/script - 33 engines detected this file","id":"461","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"42e822c2309130214c5214e4a8e3263b51107c83","file":"/etc/sample/script","alert_id":"3692281373.3921273","md5":"10cfc944c3a6dd6aa87e04bf1058e06f"},"malicious":1,"positives":"33","total":"133","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-04T22:42:17.155Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /etc/data/file - 30 engines detected this file","id":"71","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"15ce4b434f2afdbf6f4b98a2812383569177aeba","file":"/etc/data/file","alert_id":"4303528740.1418175","md5":"7593bb3c02e2a86abd78170d8506c2be"},"malicious":0,"positives":"30","total":"030","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-07T03:46:16.764Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"4909","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"4cd22955a57f10e688d9708bbe4be01ff3e6ddb0","file":"/var/opt/amazing-file","alert_id":"0436635726.8867627","md5":"93699cfaf918aae8a664f2230f24103c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /etc/sample/script - 21 engines detected this file","id":"176","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f2ccccb2eb081fca7e5d7c51510bb22a82e0d8cb","file":"/etc/sample/script","alert_id":"2662006082.7186070","md5":"e9f85a3203fa0212bd8f3ab1149ed47a"},"malicious":1,"positives":"21","total":"121","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-06T02:12:18.406Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 0 engines detected this file","id":"764","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3879e3c4d4e36dd6a4e4fbdc2b10f72b07e6835d","file":"/tmp/virus/notavirus","alert_id":"9139981274.5942303","md5":"b6d6f888a5ad1762feef2522f0cf7183"},"malicious":0,"positives":"0","total":"00","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T08:51:18.502Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"775","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"29ae45024ed71d4add26e0d04b08e6dd481c38bb","file":"/usr/share/sample/program","alert_id":"1809441435.9907632","md5":"2c7017d45b03dc62b36b167606975db3"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /var/opt/amazing-file - 24 engines detected this file","id":"2772","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"9fdbc611f4afdb4b86c87449992486b10ceed343","file":"/var/opt/amazing-file","alert_id":"7681018963.2965260","md5":"31cf2be7465986cd4e040246817668f2"},"malicious":0,"positives":"24","total":"024","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-02T19:14:55.259Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"2993","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2ef452af32599df416923f234281b9e733651815","file":"/etc/sample/script","alert_id":"2828266589.0384089","md5":"28115a64683fdc5253b73124852b471a"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/data/file - 12 engines detected this file","id":"3411","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"04dca817e99d1c474ed1541ad7d0da7966c459d2","file":"/etc/data/file","alert_id":"3810797508.5900763","md5":"b6e95031662db3dcde1cba5780fba9f7"},"malicious":0,"positives":"12","total":"012","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-02T08:01:17.245Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3430","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"c030e8aacc8abb239596c490b0d471fdaa9b9963","file":"/etc/data/file","alert_id":"0973850366.1380930","md5":"a29434e19ab35e1f96e22c91c23f147c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /etc/sample/script - 62 engines detected this file","id":"4618","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5177591c0520a79fdf143b303f54286b86bc4b44","file":"/etc/sample/script","alert_id":"1985450820.6307925","md5":"fbbc7151d5319ab255d51dde97afe627"},"malicious":0,"positives":"62","total":"062","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-04T08:47:14.943Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/sample/script - 54 engines detected this file","id":"3650","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"711cbca880dff80e548bbd7183f466a20e1d8f0b","file":"/etc/sample/script","alert_id":"9542963082.3335604","md5":"4d178dd79475d04d0366084bb672ed4f"},"malicious":0,"positives":"54","total":"054","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-06T20:21:48.635Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"400","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"3646b0a6a349b41b6d91983994ddcd65711aeb6b","file":"/etc/data/file","alert_id":"9889671893.1499965","md5":"9d6a21dc954855350dc3927c08783bf3"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/sample/script - 28 engines detected this file","id":"564","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"e3b3fd4636fec50190229f06dbe80aabe386acd8","file":"/etc/sample/script","alert_id":"8252050274.7853140","md5":"07e628380684e7e515cee6bb613b65d2"},"malicious":0,"positives":"28","total":"028","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-02T20:23:39.495Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5962","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"9f2372f4314c7442504bb36d33fcbd703c076557","file":"/etc/data/file","alert_id":"3131860669.0201337","md5":"c081564aa492cf99fd66ea384ce50868"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3409","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"780617999e35894772de217478cb5eaca6cf741b","file":"/etc/data/file","alert_id":"5506515020.6960699","md5":"542271e3f4ce6c2b9b89813b1cdb6ebf"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5243","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"df7d192a2e11fb95c674f1dd7dbbb54740f4e15e","file":"/usr/share/sample/program","alert_id":"2678366707.5276990","md5":"bc1d7b1aacfd83cd3b9249bc6c53a30e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 26 engines detected this file","id":"5515","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"1356c49fc4d211d0ea7e214851304ea0b9dc34a2","file":"/tmp/virus/notavirus","alert_id":"8281249665.9878482","md5":"d7116e637f25cc1a717e6bd6e0185b3e"},"malicious":0,"positives":"26","total":"026","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-05T00:46:10.117Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /etc/sample/script - 0 engines detected this file","id":"1545","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"50fcd64a11632bb6f95ca4e3378908e78199514e","file":"/etc/sample/script","alert_id":"7346793311.4574423","md5":"0a8111073a6f33f43be40b1570773645"},"malicious":1,"positives":"0","total":"10","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-02T01:23:46.244Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5939","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"b6f96cacfeff6f14f297721277c6a1dd65a8f58f","file":"/etc/sample/script","alert_id":"5412575350.2513616","md5":"2c53a8c6fd0100f6a8680c1941ed6c78"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 55 engines detected this file","id":"5973","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3508d5f2eed807f8afda60eff28a05f1fe4c9f61","file":"/tmp/virus/notavirus","alert_id":"8198935058.0398156","md5":"6cb0b1cec2c9c643fb32f4e9555e7e29"},"malicious":0,"positives":"55","total":"055","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-02T23:25:12.105Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"989","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"d89012a45a2acb98b20736a754607da4e8eb323f","file":"/tmp/virus/notavirus","alert_id":"2990774094.4087516","md5":"0616a6fb0717afeb9ff54bdccc6dcc9b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /etc/data/file - 11 engines detected this file","id":"5079","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"bd3c216975e89dfaad2184796db2667830fc3759","file":"/etc/data/file","alert_id":"3331474507.8409861","md5":"f8497cccc35c72f75e9181a031d9da1e"},"malicious":1,"positives":"11","total":"111","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-03T02:38:35.015Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 44 engines detected this file","id":"2147","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"56bca8b7fbb24a18658a74d99bf6f0497e410bcd","file":"/usr/share/sample/program","alert_id":"9944943978.8561077","md5":"e30f536c354e84de6c98965809a1026e"},"malicious":0,"positives":"44","total":"044","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T21:32:52.675Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 65 engines detected this file","id":"4535","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2ca50d2daf2b2562d60e41d8c82fe6f723eb8257","file":"/tmp/virus/notavirus","alert_id":"2345520487.0447917","md5":"68f261571ff4670a660af11aab4a5de0"},"malicious":1,"positives":"65","total":"165","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T07:44:19.569Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 27 engines detected this file","id":"898","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"c89ffdbefcdb8fded997cce249b5de1b93ab6755","file":"/root/super-script","alert_id":"4421051724.4584109","md5":"4df5220ceff28e8a2365bbc27b276d4d"},"malicious":0,"positives":"27","total":"027","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-02T03:34:27.501Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/sample/script - 29 engines detected this file","id":"3705","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dcba14d04ff3e75e41e4a9e31596a5f7214067fc","file":"/etc/sample/script","alert_id":"0983786700.6030764","md5":"9624b4dd72a96692805e303e2e476afa"},"malicious":0,"positives":"29","total":"029","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-08T08:50:03.191Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 59 engines detected this file","id":"5965","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"457d647ac7330b7b13687e1c110d1291337a9c68","file":"/etc/sample/script","alert_id":"7389802479.1457466","md5":"dd570e0fece8c3144df00d0e0eb686b4"},"malicious":0,"positives":"59","total":"059","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-01T23:12:02.110Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 60 engines detected this file","id":"4292","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"dd393bce4b5980e4e8393c7626bf505b6f790bd3","file":"/etc/sample/script","alert_id":"2613874094.0185526","md5":"e3548837bd839cf1108c0c4ad58466c3"},"malicious":1,"positives":"60","total":"160","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T14:40:14.603Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /etc/data/file - 8 engines detected this file","id":"3820","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"d1b93ac5610a20b736cd00ff84cfb4fe7f6f738d","file":"/etc/data/file","alert_id":"2176910718.4284926","md5":"418bc7001182dd7b09f6cb79a5532c8c"},"malicious":0,"positives":"8","total":"08","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-08T02:03:00.648Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"VirusTotal: Alert - /var/opt/amazing-file - 1 engines detected this file","id":"1805","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b40a0b4160cf7c18dea214baea5720b794e074b5","file":"/var/opt/amazing-file","alert_id":"6760115912.1996823","md5":"495503dc26e83e3274fe85b6873bfec1"},"malicious":1,"positives":"1","total":"11","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-05T13:06:07.167Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/data/file - 46 engines detected this file","id":"5444","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7971c1607e1da0759f81adec92d4ee85f0d6e206","file":"/etc/data/file","alert_id":"9179523589.1930820","md5":"d2d44ee59fc8ca6e6c520826549b1772"},"malicious":1,"positives":"46","total":"146","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-07T12:36:57.196Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /root/super-script - 28 engines detected this file","id":"56","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"2139a350392b0bbafdd0ddd912df4b390baf9a5e","file":"/root/super-script","alert_id":"1391731101.1347526","md5":"ecde373955d6a6c49d6b8767c7b151f9"},"malicious":1,"positives":"28","total":"128","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-07T02:43:54.780Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 37 engines detected this file","id":"1305","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"4df3ce6a68f5dfc13ad43f9b31cf28b36ba591a4","file":"/root/super-script","alert_id":"9768384046.5060664","md5":"00951e9bd8bf980478c03b7903226e8d"},"malicious":0,"positives":"37","total":"037","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-01T21:47:40.081Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 45 engines detected this file","id":"2202","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"85eb1e764b067e9eebe4e49b00c93f292d9e2a94","file":"/tmp/virus/notavirus","alert_id":"5888096045.1389965","md5":"e3279eb3a73997a55255ef10bbe9c0b9"},"malicious":0,"positives":"45","total":"045","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-02T19:24:59.377Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5208","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"2cbb693502caa6f7138932094abcc627c1eba5de","file":"/etc/sample/script","alert_id":"5655169276.8357875","md5":"2ee7afdc9a2323019ef1868e841b353b"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 55 engines detected this file","id":"256","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b8a1ab810433974189bae83b30d19d83b5099881","file":"/tmp/virus/notavirus","alert_id":"9875261959.8860930","md5":"498a9781cb482d3e32c42932035380a2"},"malicious":1,"positives":"55","total":"155","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586879233","scan_date":"2023-03-03T21:50:08.515Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5196","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"71c01f4aa4e1e747a070577c0196f4e67618c12e","file":"/tmp/virus/notavirus","alert_id":"1347487144.7691747","md5":"2cf4b20755ca5c3220cb2e4f640a1611"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"5325","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"fa9152478b3b3f16388fda2312f20269f3d32a9c","file":"/root/super-script","alert_id":"0018429356.2317431","md5":"df9ed5d472e5001ce26eb6fe9611e62c"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3732","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"0270677066ea57d8607353f2789df8d39a78719b","file":"/etc/sample/script","alert_id":"0747095707.0579856","md5":"16a39f2256c60db76b5e3d3266c43e8e"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"VirusTotal: Alert - /etc/sample/script - 57 engines detected this file","id":"947","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3a8722e641d3129942e71c64d2b232d384016c52","file":"/etc/sample/script","alert_id":"7153299799.7884569","md5":"16548caaafd9bca76df1729e8ce45443"},"malicious":1,"positives":"57","total":"157","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-03T22:07:09.142Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 7 engines detected this file","id":"2326","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"eb6bc6a27de3f60b14f599b1a851d857311bd134","file":"/tmp/virus/notavirus","alert_id":"5251567712.0098776","md5":"3f8c725a30049601a2f12e9e1a0a63a5"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-05T12:25:20.922Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /usr/share/sample/program - 23 engines detected this file","id":"3732","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"db19774eba7f6e4ec2edc1e67908654664d21921","file":"/usr/share/sample/program","alert_id":"0723739118.7182998","md5":"c638ab3aa4c4d1b6a0eeecf84c17817b"},"malicious":1,"positives":"23","total":"123","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T19:00:54.632Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"VirusTotal: Alert - /etc/data/file - 0 engines detected this file","id":"3014","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"01c359dc16bdb3a2e30394366d69e135b95b8f41","file":"/etc/data/file","alert_id":"9978877274.9057555","md5":"11565476e8b5fed3a93a3a790b759f13"},"malicious":0,"positives":"0","total":"00","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-03T18:22:27.635Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"VirusTotal: Alert - /etc/data/file - 7 engines detected this file","id":"1072","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b006616c3e6595991c3d3c2e124571f7bbbca7d0","file":"/etc/data/file","alert_id":"0997547714.2774285","md5":"d62efcf5fb1999b228706a342b83b382"},"malicious":1,"positives":"7","total":"17","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-02T10:58:02.884Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 37 engines detected this file","id":"4355","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3ebe93b77faa2685be010050dab01c9fd2b863b2","file":"/tmp/virus/notavirus","alert_id":"2107868855.7753723","md5":"fda958071157cf12fb73f13cd66f387f"},"malicious":0,"positives":"37","total":"037","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-02T01:52:24.516Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/data/file - 57 engines detected this file","id":"901","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"852845bd7c586a34650009889b1be59a0d646719","file":"/etc/data/file","alert_id":"1473889519.9219133","md5":"0437e06a2b8f6b7e1c10fa6ad28c6b8a"},"malicious":0,"positives":"57","total":"057","permalink":"https://www.virustotal.com/gui/file/0a049436fa6c103d4e413fc3a5a8f7152245a36750773a19fdd32f5f6e278347/detection","scan_date":"2023-03-03T17:06:49.984Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"VirusTotal: Alert - /root/super-script - 64 engines detected this file","id":"236","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"910e7b2454403a23af5f1e944411e2e414f1c630","file":"/root/super-script","alert_id":"4853907923.1939425","md5":"1c852442d5a7045bfe8e9ef08d2a9b8c"},"malicious":0,"positives":"64","total":"064","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-06T14:31:15.738Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 5 engines detected this file","id":"5360","mail":false,"groups":["virustotal"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"cdfcd4885e9ec842ad7763a640f93d4afabb9239","file":"/usr/share/sample/program","alert_id":"6813192415.6618274","md5":"c9042937ae30755d780874c9448018ac"},"malicious":1,"positives":"5","total":"15","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-05T09:56:26.125Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /usr/share/sample/program - 17 engines detected this file","id":"2003","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"15238805a4d8c58c8d0a3cdaaef89d6952442c06","file":"/usr/share/sample/program","alert_id":"4206390256.3674199","md5":"8274c07fea983f04c829e92bb16e6e54"},"malicious":0,"positives":"17","total":"017","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T23:27:14.876Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 13 engines detected this file","id":"416","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"5612ae345cd0c412a43ccf7949bc428fc7313630","file":"/tmp/virus/notavirus","alert_id":"3036365916.0776252","md5":"c0d259bfe6c5c1b9b12918f56e465604"},"malicious":1,"positives":"13","total":"113","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586876465","scan_date":"2023-03-04T18:30:49.750Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"VirusTotal: Alert - /var/opt/amazing-file - 63 engines detected this file","id":"4317","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ad7f2c79780e5a5f08ede150d68fbd277f8f0970","file":"/var/opt/amazing-file","alert_id":"3099629652.9109246","md5":"57bc007975dd5bbdf7dc37c1b6ca3ecf"},"malicious":1,"positives":"63","total":"163","permalink":"https://www.virustotal.com/gui/file/417871ee18a4c782df7ae9b7a64ca060547f7c88a4a405b2fa2487940eaa3c31/detection","scan_date":"2023-03-06T08:39:09.421Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"VirusTotal: Alert - /root/super-script - 3 engines detected this file","id":"1680","mail":false,"groups":["virustotal"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"3aeb093589a38887dbc3007f6515278bd5e1b782","file":"/root/super-script","alert_id":"1810982559.4923126","md5":"0b835401af0ac92627fcbdf13830c1cf"},"malicious":0,"positives":"3","total":"03","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1586543564","scan_date":"2023-03-05T00:05:01.539Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3226","mail":false,"groups":["virustotal"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"f19f279682aadc04a1ca56b3237a4c4eab436627","file":"/root/super-script","alert_id":"6587375082.2555408","md5":"089f7c2dd4cc0d56643ef24c9182aee4"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 39 engines detected this file","id":"4799","mail":false,"groups":["virustotal"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"f7452d123211287e4cfaae0dc25b2db0735c28d1","file":"/tmp/virus/notavirus","alert_id":"3906435271.9232932","md5":"f2fdef2ec223a52b66a19e59fd3578f5"},"malicious":1,"positives":"39","total":"139","permalink":"https://www.virustotal.com/gui/file/509790d92c2c8846bf4ffacfb03c4f8817ac548262c70c13b08ef5cdfba6f596/detection","scan_date":"2023-03-03T07:27:44.721Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"VirusTotal: Alert - /root/super-script - 41 engines detected this file","id":"4949","mail":false,"groups":["virustotal"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"7ebe8cf231614289e52ecac71182de70e8e9de83","file":"/root/super-script","alert_id":"2944971132.3558957","md5":"06ecb4ce9b1288504a9c927f92d44f4b"},"malicious":1,"positives":"41","total":"141","permalink":"https://www.virustotal.com/gui/file/1bbf37332af75ea682fb4523afc8e61adb22f47f2bf3a8362e310f6d33085a6e/detection","scan_date":"2023-03-07T12:22:27.793Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"VirusTotal: Alert - /root/super-script - 64 engines detected this file","id":"799","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"ab840b305dfffe5a44b3ec1c515ad39436c638cf","file":"/root/super-script","alert_id":"1448537100.5109896","md5":"f940fd6067cf0dbec6b6498d7a7e435c"},"malicious":1,"positives":"64","total":"164","permalink":"https://www.virustotal.com/gui/file/e68cda15a436dfcbbabb42c232afe6caa88076c8cb7bc107b6cfe8a08f6044dc/detection","scan_date":"2023-03-03T14:51:22.160Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /tmp/virus/notavirus - 0 engines detected this file","id":"4922","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"b53bf056ee60ae309b051718b4db6f87bd1d3698","file":"/tmp/virus/notavirus","alert_id":"1158251365.6421519","md5":"d29aae2fefe567fdf605ecdffd0ba8f4"},"malicious":0,"positives":"0","total":"00","permalink":"https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1587084411","scan_date":"2023-03-07T01:01:38.889Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"VirusTotal: Alert - No records in VirusTotal database","id":"3463","mail":false,"groups":["virustotal"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"0","source":{"sha1":"5008acbdba5472c270d0a861a305b5974c231a58","file":"/tmp/virus/notavirus","alert_id":"2215690607.3145583","md5":"d81f8022d4ecf593483908d6efc384b8"},"malicious":"0"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"VirusTotal: Alert - /etc/sample/script - 43 engines detected this file","id":"2811","mail":false,"groups":["virustotal"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"virustotal":{"found":"1","source":{"sha1":"241c6b7d0564b2b16c362eae42a37bc3f87045cf","file":"/etc/sample/script","alert_id":"1146984516.1368386","md5":"8205250345d3e1920a49f43f4e9d840a"},"malicious":1,"positives":"43","total":"143","permalink":"https://www.virustotal.com/file/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267/analysis/1586863229","scan_date":"2023-03-04T13:26:51.875Z"}},"location":"virustotal"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2322","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2055","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4504","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"5715","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5388","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2108","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"3586","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery error message","id":"2393","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"2186","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"35","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5931","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"1287","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3308","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5000","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 10%","id":"4587","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"1843","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"4163","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"3562","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5161","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2947","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery error message","id":"5219","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"290","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1513","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1654","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1797","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"2959","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3528","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3399","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"2416","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5733","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1470","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3354","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1877","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"2078","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3838","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response last: User host","id":"2940","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"1181","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1986","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1557","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"1017","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"4068","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2822","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response last: User host","id":"5671","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4265","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3736","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response last: User host","id":"3271","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"984","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2572","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"5988","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"3012","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"2070","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2473","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"3765","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1895","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5560","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4326","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"930","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5704","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"5717","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5456","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"5625","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5773","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"1852","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"4130","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5179","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"1995","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"764","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2452","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"102","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"734","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5194","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5073","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"1306","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4879","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"5945","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"4129","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5080","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5252","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"4763","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4494","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"830","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response last: User host","id":"5513","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5889","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5803","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"3862","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"1792","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4227","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"990","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"2529","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5869","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"4960","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4330","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2236","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"5769","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: System memory is under 10%","id":"4770","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"432","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3200","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2443","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 15%","id":"4648","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5160","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1613","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4096","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery error message","id":"3185","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2389","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"621","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"1947","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1359","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5970","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"3472","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3797","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3490","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4306","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"165","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"1307","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"5115","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"164","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2019","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5905","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"5948","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response last: User host","id":"5581","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: System memory is under 15%","id":"3728","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1943","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1900","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1302","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response last: User host","id":"1780","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"2175","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 10%","id":"2736","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"3407","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"209","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3686","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"4365","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: System memory is under 15%","id":"4118","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response last: User host","id":"5788","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"919","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"1936","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2028","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3192","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4284","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1056","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"843","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2089","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"1988","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response last: User host","id":"2222","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"3977","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"2165","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2403","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"899","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"2545","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"871","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5414","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"706","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"118","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5415","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response last: User host","id":"5047","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4272","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 15%","id":"1149","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"4156","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3318","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"3908","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 15%","id":"1714","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"1098","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: System memory is under 10%","id":"4687","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2282","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response last: User host","id":"5258","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2771","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"3228","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5972","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2807","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"2499","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3976","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"2259","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"161","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3825","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"692","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response last: User host","id":"4140","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1139","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2840","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 10%","id":"5587","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"3930","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"5381","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3937","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4313","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2467","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5091","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1844","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"5651","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"5807","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 15%","id":"5017","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"980","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"377","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2816","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2077","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"1559","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"4696","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2731","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2040","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5627","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"128","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"212","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 15%","id":"5246","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5997","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1217","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"329","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4013","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"5563","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"3566","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"2515","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"2828","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"666","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2231","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response last: User host","id":"3483","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response last: User host","id":"5892","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"5773","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1272","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5118","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"1611","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 10%","id":"5620","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response last: User host","id":"2493","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"610","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response last: User host","id":"5922","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response last: User host","id":"339","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"5535","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"1654","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4042","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 15%","id":"686","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response last: User host","id":"4184","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3371","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5745","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"853","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5344","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2785","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4116","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1404","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"1946","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 10%","id":"733","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"2891","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"3248","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"915","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"338","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1540","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"4481","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5771","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"1764","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"2646","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3352","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: System memory is under 10%","id":"3226","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: System memory is under 15%","id":"5483","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response last: User host","id":"4472","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5123","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response last: User host","id":"5510","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: System memory is under 10%","id":"658","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"915","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1943","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5886","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"4118","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2154","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3301","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 10%","id":"2356","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"91","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 10%","id":"1827","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"440","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5404","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2521","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"30","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"3002","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 10%","id":"4534","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"1353","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"750","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2291","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: System memory is under 15%","id":"301","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3042","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"2888","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"588","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2731","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3618","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"789","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"5663","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5288","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"2090","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1504","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5897","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"5961","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"3148","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5772","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 15%","id":"1500","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"5239","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4790","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"652","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 15%","id":"2088","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5489","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 10%","id":"2496","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"1342","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3677","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5199","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2038","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"4134","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2462","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"885","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"5180","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4473","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4103","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2315","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3531","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"1459","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"1835","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4566","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1711","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: System memory is under 15%","id":"4089","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"5045","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2844","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"657","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 10%","id":"3682","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"2089","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"3328","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response last: User host","id":"3393","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1633","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2600","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"3094","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: System memory is under 10%","id":"5096","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2479","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3041","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5253","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response last: User host","id":"143","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5386","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"968","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2680","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4004","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: System memory is under 10%","id":"3085","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 10%","id":"5677","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: System memory is under 15%","id":"2103","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"3936","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5780","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2593","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: System memory is under 10%","id":"3287","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3259","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"4079","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"967","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: System memory is under 10%","id":"2362","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response last: User host","id":"5624","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"1568","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5995","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"1624","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2424","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2367","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response last: User host","id":"1911","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5388","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 10%","id":"3641","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3660","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response last: User host","id":"3805","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2167","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"5918","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3352","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5350","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 15%","id":"3738","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5224","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response last: User host","id":"2614","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"186","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"2310","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"605","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1795","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"294","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: System memory is under 10%","id":"1619","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response last: User host","id":"549","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: System memory is under 15%","id":"5355","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"441","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"2087","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5189","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: System memory is under 10%","id":"4619","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4184","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"2820","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"3254","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"5513","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5232","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4616","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4616","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"3031","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4812","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4873","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3915","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: System memory is under 10%","id":"4411","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2159","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2955","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"3153","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2555","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"1443","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4266","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"5488","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2120","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: System memory is under 15%","id":"1220","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"132","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1861","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1131","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2714","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5211","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3975","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4839","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"162","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"3813","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 15%","id":"1898","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4417","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"3652","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"407","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1408","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2098","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"509","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2112","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"5374","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"1721","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"935","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"5209","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2868","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"107","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3348","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 15%","id":"4864","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"348","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response last: User host","id":"711","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5701","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 15%","id":"4702","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2985","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"776","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"1538","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"400","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"70","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1687","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 15%","id":"451","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"4210","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3936","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1305","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"4486","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5732","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 15%","id":"3919","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 10%","id":"982","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4096","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5892","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1395","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5795","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3935","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4736","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"4285","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3254","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: System memory is under 15%","id":"3055","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"4113","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"323","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"3340","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"5826","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: System memory is under 10%","id":"5095","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5994","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1641","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"4609","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"1021","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: System memory is under 10%","id":"5872","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4080","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2180","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"220","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response last: User host","id":"2245","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5867","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"4950","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2680","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5957","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1235","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: System memory is under 15%","id":"5806","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"571","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"3571","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"487","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"4152","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 10%","id":"2051","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"4858","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5535","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2416","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"2642","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response last: User host","id":"5212","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1333","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4600","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: System memory is under 15%","id":"5090","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3693","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2724","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"413","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"382","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"135","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"1212","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 10%","id":"4846","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"777","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2187","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"2202","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3133","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response last: User host","id":"4231","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"2104","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 10%","id":"4432","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4153","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1165","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5682","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 15%","id":"3680","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"887","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2639","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 15%","id":"5024","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3472","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2866","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"5786","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"2447","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"413","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2079","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5119","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"4068","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 10%","id":"256","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3009","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2777","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3143","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"2183","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"1051","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response last: User host","id":"5412","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"683","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"5205","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"5194","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1999","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5721","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"2586","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"1204","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4688","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"5038","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"157","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"2004","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"481","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3235","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4425","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"4616","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5751","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"870","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2823","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"896","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response last: User host","id":"3789","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4312","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3514","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"168","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response last: User host","id":"350","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1032","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 15%","id":"243","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"2456","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"4929","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 10%","id":"5954","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1208","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response last: User host","id":"3233","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"1096","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response last: User host","id":"4596","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"503","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"5110","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"3875","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"76","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3692","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2975","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5250","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response last: User host","id":"494","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"944","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"3988","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4577","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5680","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"5694","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5696","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4467","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"1635","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response last: User host","id":"2701","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1032","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4760","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: System memory is under 10%","id":"4232","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"583","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"4712","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5233","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"817","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4920","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"2963","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"4699","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"869","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4321","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"2838","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2462","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2136","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"77","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"1966","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2698","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response last: User host","id":"3617","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4859","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 15%","id":"2781","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"5999","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3450","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4000","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4423","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3672","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"871","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"695","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"3340","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1371","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response last: User host","id":"1156","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1167","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"190","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: System memory is under 10%","id":"1874","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"2688","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"2144","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response last: User host","id":"4634","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 10%","id":"2289","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"5510","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1346","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"4998","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response last: User host","id":"2875","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"4054","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response last: User host","id":"5010","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response last: User host","id":"1961","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3795","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3540","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3255","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"3503","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 10%","id":"4255","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"4950","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 10%","id":"5401","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5173","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"869","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"5587","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response last: User host","id":"4012","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"4537","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: System memory is under 15%","id":"2269","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"607","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2426","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 10%","id":"2358","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"904","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2772","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"911","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"3350","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1084","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"924","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"2670","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"4040","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"1787","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3770","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response last: User host","id":"2388","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5250","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"246","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"4872","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3776","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1475","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"1902","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"4770","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3456","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"5789","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"480","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"3238","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5121","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"654","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3532","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"295","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 15%","id":"5287","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"4753","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"884","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"4201","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4826","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1945","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2231","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4170","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5609","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1232","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response last: User host","id":"5834","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1353","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2962","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3894","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2031","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"5727","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2330","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4662","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2829","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 15%","id":"3061","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4632","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 15%","id":"1634","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response last: User host","id":"1014","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2565","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"799","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"4194","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"4554","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2773","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"1855","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"2142","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response last: User host","id":"3389","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2080","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2258","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"768","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"1526","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2122","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2290","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"2540","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3761","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1514","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3223","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4441","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"775","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response last: User host","id":"4701","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2873","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"2117","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5731","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"1270","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"4323","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"5279","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"5509","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 15%","id":"3155","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 10%","id":"3689","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3702","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5371","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4594","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: System memory is under 10%","id":"599","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"1556","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4358","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"250","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2602","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery error message","id":"1578","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"1793","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"169","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"1861","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"377","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1256","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"760","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2605","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2999","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"5756","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3459","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2946","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4724","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3110","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5635","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4143","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"4256","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"1070","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response last: User host","id":"5056","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"60","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"55","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response last: User host","id":"2974","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2368","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3207","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5251","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"2151","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery error message","id":"1146","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1142","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3147","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5634","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4582","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"2344","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1737","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"418","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4293","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3317","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5839","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"940","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"5789","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"184","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"2595","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4404","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1607","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"5981","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"5343","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: System memory is under 15%","id":"5713","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1444","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2550","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 10%","id":"2515","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5271","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4709","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5944","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 10%","id":"4366","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3382","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2794","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 10%","id":"1421","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: System memory is under 10%","id":"2889","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"359","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"970","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"5145","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 10%","id":"4230","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4616","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"1896","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"3588","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"4000","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5019","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: System memory is under 10%","id":"1740","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5978","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1098","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response last: User host","id":"2653","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4923","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: System memory is under 10%","id":"1297","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4311","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 10%","id":"1077","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"787","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery error message","id":"274","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3260","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1873","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2436","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"3618","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: System memory is under 10%","id":"1330","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: System memory is under 10%","id":"3186","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery error message","id":"2302","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4215","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"106","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3338","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"1342","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"3160","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: System memory is under 15%","id":"5513","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"3078","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"2583","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"5545","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"359","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"5964","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"543","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"943","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2096","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5408","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery error message","id":"3915","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5176","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"2830","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: System memory is under 15%","id":"2994","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 10%","id":"575","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1599","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3610","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"3787","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4217","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"1886","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2107","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3034","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3950","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"585","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"2858","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"4374","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1964","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5945","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"2128","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3951","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"325","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"365","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"4151","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5629","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2803","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3578","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"2210","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 10%","id":"2481","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"5120","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"1533","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3841","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4403","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"777","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5602","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"2674","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"104","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"2018","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 10%","id":"361","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3889","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5389","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1293","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: System memory is under 15%","id":"5429","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"294","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"1950","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery error message","id":"2597","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"3845","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"347","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"2295","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 15%","id":"3641","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"5427","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"522","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"5558","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4139","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3180","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"4009","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"2028","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery error message","id":"4674","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1255","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 15%","id":"1811","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2798","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"5901","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"3479","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1365","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"5435","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: System memory is under 10%","id":"2604","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3032","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery error message","id":"757","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery error message","id":"3465","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"3610","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery error message","id":"1240","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4821","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response last: User host","id":"2058","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: System memory is under 15%","id":"3188","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 10%","id":"5864","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1422","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"480","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4095","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"3323","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5050","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1656","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: System memory is under 15%","id":"775","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1757","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"5429","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1635","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3056","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery error message","id":"4766","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1412","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"1447","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5375","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3330","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: System memory is under 15%","id":"4757","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"3298","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"4761","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response last: User host","id":"1173","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5311","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4354","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery error message","id":"5320","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5705","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4325","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"2876","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"4723","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"4918","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"66","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4635","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"701","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: System memory is under 15%","id":"1387","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"55","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: System memory is under 15%","id":"2377","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery error message","id":"1212","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5799","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"1759","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"343","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"2587","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"3746","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5362","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3403","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2824","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"1151","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"861","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"194","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4677","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"4330","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"2756","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5013","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"5125","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery error message","id":"3138","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"5824","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43294","id":"4985","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T05:40:01.398+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43294","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3287370","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"283"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"2973","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5106","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: System memory is under 15%","id":"5187","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3125","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"5021","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1308","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5726","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"1611","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1716","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1441","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response last: User host","id":"4045","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T20:40:14.877+0000","subquery":"last","columns":{"tty":"pts/0","pid":"25728","time":"1587494777","type":"8"},"name":"pack_incident-response_last","action":"added","epoch":"0","counter":"1","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"3649","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1345","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: System memory is under 10%","id":"1461","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T17:25:27.657+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"10%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"1080","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"524","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"908","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"4486","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"784","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"652","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"954","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery error message","id":"2193","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5438","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"4054","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4714","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"3101","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: System memory is under 15%","id":"2719","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"623","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3696","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4495","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"3714","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3854","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"1334","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":4,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"4508","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery error message","id":"3195","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"2940","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":10,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"5263","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: System memory is under 15%","id":"3937","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"1399","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1257","mail":false,"groups":["osquery"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":1,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"1375","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"5100","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":8,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"130","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1527","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2431","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"2433","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"504","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"5315","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T15:03:44.286+0000","subquery":"osquery_info","columns":{"watcher":"18596","system_time":"86740","config_valid":"1","pid":"18631","counter":"33","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2","config_hash":"8423af1820e09cef21c8ed5594827b13ea8af90d","build_platform":"ubuntu","start_time":"1586893611","extensions":"active","instance_id":"29ebc250-4d9d-4420-b46f-127ff9e2437d","build_distro":"xenial","resident_size":"66664000","user_time":"124490"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1789","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"1946","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"3515","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_memory: Process 644 [vsyscall] memory start 0xffffffffff600000, memory end 0xffffffffff601000","id":"3265","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T16:38:07.254+0000","subquery":"process_memory","columns":{"inode":"0","offset":"0","permissions":"r-xp","start":"0xffffffffff600000","end":"0xffffffffff601000","pid":"644","device":"00:00","pseudo":"1"},"name":"pack_incident-response_process_memory","action":"removed","epoch":"0","counter":"12"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"502","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: hardware-monitoring device_nodes: Device /dev/ptmx, UID 0, GID 5, type character","id":"2300","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-02T21:40:49.002+0000","subquery":"device_nodes","columns":{"mode":"0666","path":"/dev/ptmx","uid":"0","atime":"0","gid":"5","ctime":"1586444340","mtime":"1587489592","type":"character","block_size":"4096"},"name":"pack_hardware-monitoring_device_nodes","action":"added","epoch":"0","counter":"138","pack":"hardware-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery error message","id":"4130","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":11,"description":"osquery: incident-response iptables: Iptable source ip 172.17.0.0 with policy ACCEPT and target MASQUERADE has a packet count of 43092","id":"5723","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T13:47:53.366+0000","subquery":"iptables","columns":{"chain":"POSTROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"255.255.0.0","dst_ip":"0.0.0.0","packets":"43092","target":"MASQUERADE","src_ip":"172.17.0.0","protocol":"0","outiface_mask":"FFFFFFFFFFFFFFFF","bytes":"3271628","iniface":"all","outiface":"docker0","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":5,"description":"osquery: incident-response iptables: Iptable source ip 0.0.0.0 with policy ACCEPT and target DOCKER has a packet count of 34553","id":"1823","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-05T11:35:39.199+0000","subquery":"iptables","columns":{"chain":"PREROUTING","filter_name":"nat","dst_mask":"0.0.0.0","match":"yes","src_mask":"0.0.0.0","dst_ip":"0.0.0.0","packets":"34553","target":"DOCKER","src_ip":"0.0.0.0","protocol":"0","bytes":"2065050","iniface":"all","outiface":"all","policy":"ACCEPT"},"name":"pack_incident-response_iptables","action":"removed","epoch":"0","counter":"282","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"1617","mail":false,"groups":["osquery"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-01T19:54:02.938+0000","subquery":"mounts","columns":{"path":"/","blocks":"5239803","inodes":"10484720","flags":"rw,seclabel,relatime,attr2,inode64,noquota","inodes_free":"10436261","blocks_size":"4096","blocks_available":"3940776","type":"xfs","device":"/dev/xvda2","device_alias":"/dev/xvda2","blocks_free":"3940776"},"name":"pack_incident-response_mounts","action":"added","epoch":"0","counter":"278","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"2063","mail":false,"groups":["osquery"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: System memory is under 15%","id":"2478","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T18:09:29.420+0000","subquery":"iptables","columns":{"memory_free":"156012544","memory_free_perc":"0.039271301812363","threshold":"15%","memory_total":"3972685824"},"name":"low_free_memory","action":"removed","epoch":"0","counter":"548"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":12,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"907","mail":false,"groups":["osquery"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":9,"description":"osquery: osquery-monitoring osquery_info: Osquery version is 3.3.2 build on ubuntu xenial","id":"4370","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T15:54:59.059+0000","subquery":"osquery_info","columns":{"counter":"43","uuid":"EC234A5B-D23B-A7AD-CFF7-BC3F24CC5366","version":"3.3.2"},"name":"pack_osquery-monitoring_osquery_info","action":"removed","epoch":"0","counter":"1836","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":2,"description":"osquery: incident-response process_env: Process 26151 Environment variable GENERATION value 244","id":"998","mail":false,"groups":["osquery"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-03T08:53:40.555+0000","subquery":"process_env","columns":{"pid":"26151","value":"244","key":"GENERATION"},"name":"pack_incident-response_process_env","action":"added","epoch":"0","counter":"11"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":7,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"3701","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":14,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4083","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":6,"description":"osquery: incident-response open_files: Process 18631 has file /var/osquery/osquery.db/MANIFEST-016679 opened","id":"4193","mail":false,"groups":["osquery"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-07T20:30:44.956+0000","subquery":"open_files","columns":{"path":"/var/osquery/osquery.db/MANIFEST-016679","pid":"18631"},"name":"pack_incident-response_open_files","action":"removed","epoch":"0","counter":"11","pack":"incident-response"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":13,"description":"osquery: osquery-monitoring schedule: The pack executed is pack_ossec-rootkit_zk_rootkit and the interval is 3600 ","id":"4191","mail":false,"groups":["osquery"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"osquery":{"calendarTime":"2023-03-06T07:18:55.858+0000","subquery":"schedule","columns":{"average_memory":"0","avg_system_time":"0","executions":"177","output_size":"0","name":"pack_ossec-rootkit_zk_rootkit","interval":"3600","avg_user_time":"0","last_executed":"1587482079","wall_time":"0"},"name":"pack_osquery-monitoring_schedule","action":"removed","epoch":"0","counter":"282","pack":"osquery-monitoring"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":4,"description":"Docker: Network bridge disconnected","groups":["docker"],"id":"87929","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"disconnect","Type":"network","Actor":{"Attributes":{"container":"b017ae02b17f5c2a707eba83171e78e42816f50837cb98a3c9e7927a76862113","name":"bridge","type":"bridge"},"ID":"4ade2be72d91a77fab72a4e6c01f5d9a8d4b9367f5309fb95dd73e31103664eb"},"scope":"local","timeNano":"1586460544485358336.000000","time":"1586460544"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container nginx_container restarted","groups":["docker"],"id":"87909","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"restart","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d129ebdad1275dc5f2f772864db0a39325b47cd6faa9f1e0791d9c3696efa35c"},"scope":"local","timeNano":"1586460544801840896.000000","from":"nginx","time":"1586460544","status":"restart"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Network vagrant_default created","id":"87930","firedtimes":1,"mail":false,"pci_dss":["10.2.7"],"groups":["docker"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Type":"network","Action":"create","Actor":{"ID":"c164ab04beb1587c28447aee55a656b4ffaa02b974ea185a638cbc633e933b39","Attributes":{"name":"vagrant_default","type":"bridge"}},"scope":"local","time":"1563354307","timeNano":"1563354307459382528.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-nginx pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-nginx:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-nginx:3.9.2_7.1.1","Attributes":{"maintainer":"NGINX Docker Maintainers ","name":"wazuh/wazuh-nginx"}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":3,"description":"Docker: Container nginx_container stopped","groups":["docker"],"id":"87904","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"stop","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers "},"ID":"d4714643b2abfd129ffc8d1ccf6e0e786cd7163d56c70274c627f1b02c66a97d"},"scope":"local","timeNano":"1586461541373152000.000000","from":"nginx","time":"1586461541","status":"stop"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-elasticsearch pulled","id":"87932","firedtimes":2,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-elasticsearch:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-elasticsearch","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"elasticsearch","schema-version":"1.0","url":"https://www.elastic.co/products/elasticsearch","vcs-url":"https://github.com/elastic/elasticsearch","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":1,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"docker":{"level":"error","message":"Not continuing with pull after error: context canceled"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh-kibana pulled","id":"87932","firedtimes":3,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh-kibana:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh-kibana:3.9.2_7.1.1","Attributes":{"license":"Elastic License","name":"wazuh/wazuh-kibana","org":{"label-schema":{"build-date":"20190305","license":"GPLv2","name":"kibana","schema-version":"1.0","url":"https://www.elastic.co/products/kibana","vcs-url":"https://github.com/elastic/kibana","vendor":"Elastic","version":"7.1.1"}}}},"scope":"local","time":"1563354404","timeNano":"1563354404067201536.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Network bridge connected","groups":["docker"],"id":"87928"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"connect","Type":"network","Actor":{"Attributes":{"container":"63abf4cef8d61a03f663719b7546ef5e1d31b4cd9790f8110c357fc1e5a7e340","name":"bridge","type":"bridge"},"ID":"9ea3c134e849e5c543e88fd80ee68086ea015476a827072ac0c340119bc9b7d6"},"scope":"local","timeNano":"1587084599776133888.000000","time":"1587084599"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":2,"mail":false,"level":5,"pci_dss":["10.2.7"],"description":"Docker: Started shell session in container nginx_container","groups":["docker"],"id":"87908","nist_800_53":["AU.14"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"exec_start: bash ","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","maintainer":"NGINX Docker Maintainers ","execID":"eb0228ddaf4f3d651803a55ea2b7bf4be6b50a4a40fc0158c502ecf1f18975cb"},"ID":"a624c075c8e513ed2d352a895b09e9bef223664b78b858a3979cac05a6c6962b"},"timeNano":"1587404196804128000.000000","from":"nginx","time":"1587404196","status":"exec_start: bash "}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Docker: Container nginx_container received the action: kill","groups":["docker"],"id":"87924","gdpr":["IV_32.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"kill","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"nginx_container","signal":"15","maintainer":"NGINX Docker Maintainers "},"ID":"359a066ec21f1ec9b268880cbcbd66f9d68290304d162aff462a2257158016a6"},"scope":"local","timeNano":"1586460544324527616.000000","from":"nginx","time":"1586460544","status":"kill"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"level":3,"description":"Docker: Image or repository wazuh/wazuh pulled","id":"87932","firedtimes":1,"mail":false,"groups":["docker"],"pci_dss":["10.2.7"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"status":"pull","id":"wazuh/wazuh:3.9.2_7.1.1","Type":"image","Action":"pull","Actor":{"ID":"wazuh/wazuh:3.9.2_7.1.1","Attributes":{"name":"wazuh/wazuh"}},"scope":"local","time":"1563354346","timeNano":"1563354346181027328.000000"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container received the action: die","groups":["docker"],"id":"87928","gdpr":["IV_32.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"die","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","exitCode":"0","maintainer":"NGINX Docker Maintainers "},"ID":"88af836e73f40e0bf4fff9ee195be505fdca8c36f3baf911283526e83466a797"},"scope":"local","timeNano":"1587084648640092672.000000","from":"nginx","time":"1587084648","status":"die"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"firedtimes":1,"mail":false,"level":3,"description":"Docker: Container test_container started","groups":["docker"],"id":"87928"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"integration":"docker","docker":{"Action":"start","Type":"container","Actor":{"Attributes":{"image":"nginx","name":"test_container","maintainer":"NGINX Docker Maintainers "},"ID":"db9c5f635b95bb23aa07d69c6fea47801a6fa6b45859ce1f0af13c9b78590eea"},"scope":"local","timeNano":"1587084600046795264.000000","from":"nginx","time":"1587084600","status":"start"}},"location":""} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3335,"level":6,"status":"enabled","details":{"if_sid":"3320","match":"^too many "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: too many errors after RCPT from unknown"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4386,"level":10,"status":"enabled","details":{"frequency":"10","timeframe":"240","if_matched_sid":"4334","same_source_ip":""},"pci_dss":["11.4","10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Initial Access"],"id":["T1110","T1133"],"technique":["Brute Force","External Remote Services"]},"groups":["authentication_failures","syslog","pix"],"description":"PIX: Multiple AAA (VPN) authentication failures."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3104,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.7.1 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Attempt to use mail server as relay (550: Requested action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3151,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3102","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Sender domain has bogus MX record. It should not be sending e-mail."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3910,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"30","if_matched_sid":"3902","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","courier"],"description":"Courier brute force (multiple failed logins)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5706,"level":6,"status":"enabled","details":{"if_sid":"5700","match":"Did not receive identification string from"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1043"],"technique":["Commonly Used Port"]},"groups":["recon","syslog","sshd"],"description":"sshd: insecure connection attempt (scan)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3102,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=451 4.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain does not have any valid MX record (Requested action aborted)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5404,"level":10,"status":"enabled","details":{"if_sid":"5401","match":"3 incorrect password attempts"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Three failed attempts to run sudo"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":518,"level":9,"status":"enabled","details":{"if_sid":"514","match":"Adware|Spyware"},"gpg13":["4.2"],"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Lateral Movement"],"id":["T1017"],"technique":["Application Deployment Software"]},"groups":["rootcheck","wazuh"],"description":"Windows Adware/Spyware application found."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5403,"level":4,"status":"enabled","details":{"if_sid":"5400","if_fts":""},"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"First time user executed sudo."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3904,"level":3,"status":"enabled","details":{"if_sid":"3900","match":"^LOGIN,"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","courier"],"description":"Courier (imap/pop3) authentication success."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3306,"level":6,"status":"enabled","details":{"if_sid":"3301, 3302","match":" blocked using "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: IP Address black-listed by anti-spam (blocked)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4325,"level":8,"status":"enabled","details":{"if_sid":"4313","id":"^4-405001"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","pix"],"description":"PIX: ARP collision detected."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3910,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"30","if_matched_sid":"3902","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","courier"],"description":"Courier brute force (multiple failed logins)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3602,"level":3,"status":"enabled","details":{"if_sid":"3600","match":"Authenticated user="},"pci_dss":["10.2.5"],"gpg13":["7.1"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","imapd"],"description":"Imapd user login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2961,"level":5,"status":"enabled","details":{"if_sid":"2960","group":"sudo"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group sudo."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3102,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=451 4.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain does not have any valid MX record (Requested action aborted)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3651,"level":10,"status":"enabled","details":{"frequency":"$IMAPD_FREQ","timeframe":"120","if_matched_sid":"3601","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","imapd"],"description":"Imapd Multiple failed logins from same source ip."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4342,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-502101|^5-502102"},"pci_dss":["8.1.2","10.2.5"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.a.2.I","164.312.a.2.II","164.312.b"],"nist_800_53":["AC.2","IA.4","AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Initial Access"],"id":["T1089","T1133"],"technique":["Disabling Security Tools","External Remote Services"]},"groups":["adduser","account_changed","syslog","pix"],"description":"PIX: User created or modified on the Firewall."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5303,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user root|^'su root'|","^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8","7.9"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID to root."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5404,"level":10,"status":"enabled","details":{"if_sid":"5401","match":"3 incorrect password attempts"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Three failed attempts to run sudo"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3852,"level":9,"status":"enabled","details":{"frequency":"14","timeframe":"120","ignore":"240","if_matched_sid":"3802","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail 500 error code (spam)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5108,"level":12,"status":"enabled","details":{"if_sid":"5100","match":"Out of Memory: "},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","linuxkernel"],"description":"System running out of memory. Availability of the system is in risk."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":593,"level":9,"status":"enabled","details":{"if_sid":"500","match":"^ossec: Event log cleared"},"pci_dss":["10.5.2"],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1070"],"technique":["Indicator Removal on Host"]},"groups":["logs_cleared","wazuh"],"description":"Microsoft Event log cleared."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5706,"level":6,"status":"enabled","details":{"if_sid":"5700","match":"Did not receive identification string from"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1043"],"technique":["Commonly Used Port"]},"groups":["recon","syslog","sshd"],"description":"sshd: insecure connection attempt (scan)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3651,"level":10,"status":"enabled","details":{"frequency":"$IMAPD_FREQ","timeframe":"120","if_matched_sid":"3601","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","imapd"],"description":"Imapd Multiple failed logins from same source ip."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4342,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-502101|^5-502102"},"pci_dss":["8.1.2","10.2.5"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.a.2.I","164.312.a.2.II","164.312.b"],"nist_800_53":["AC.2","IA.4","AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Initial Access"],"id":["T1089","T1133"],"technique":["Disabling Security Tools","External Remote Services"]},"groups":["adduser","account_changed","syslog","pix"],"description":"PIX: User created or modified on the Firewall."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3651,"level":10,"status":"enabled","details":{"frequency":"$IMAPD_FREQ","timeframe":"120","if_matched_sid":"3601","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","imapd"],"description":"Imapd Multiple failed logins from same source ip."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5404,"level":10,"status":"enabled","details":{"if_sid":"5401","match":"3 incorrect password attempts"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Three failed attempts to run sudo"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5104,"level":8,"status":"enabled","details":{"if_sid":"5100","regex":["Promiscuous mode enabled|","device S+ entered promiscuous mode"]},"pci_dss":["10.6.1","11.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Discovery"],"id":["T1040"],"technique":["Network Sniffing"]},"groups":["promisc","syslog","linuxkernel"],"description":"Interface entered in promiscuous(sniffing) mode."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3102,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=451 4.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain does not have any valid MX record (Requested action aborted)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2961,"level":5,"status":"enabled","details":{"if_sid":"2960","group":"sudo"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3910,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"30","if_matched_sid":"3902","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","courier"],"description":"Courier brute force (multiple failed logins)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4342,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-502101|^5-502102"},"pci_dss":["8.1.2","10.2.5"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.a.2.I","164.312.a.2.II","164.312.b"],"nist_800_53":["AC.2","IA.4","AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Initial Access"],"id":["T1089","T1133"],"technique":["Disabling Security Tools","External Remote Services"]},"groups":["adduser","account_changed","syslog","pix"],"description":"PIX: User created or modified on the Firewall."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3104,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.7.1 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Attempt to use mail server as relay (550: Requested action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2960,"level":2,"status":"enabled","details":{"decoded_as":"gpasswd","match":"added by"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5403,"level":4,"status":"enabled","details":{"if_sid":"5400","if_fts":""},"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"First time user executed sudo."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5403,"level":4,"status":"enabled","details":{"if_sid":"5400","if_fts":""},"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"First time user executed sudo."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3352,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3302","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5403,"level":4,"status":"enabled","details":{"if_sid":"5400","if_fts":""},"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"First time user executed sudo."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2961,"level":5,"status":"enabled","details":{"if_sid":"2960","group":"sudo"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group sudo."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3306,"level":6,"status":"enabled","details":{"if_sid":"3301, 3302","match":" blocked using "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: IP Address black-listed by anti-spam (blocked)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5108,"level":12,"status":"enabled","details":{"if_sid":"5100","match":"Out of Memory: "},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","linuxkernel"],"description":"System running out of memory. Availability of the system is in risk."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3352,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3302","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4506,"level":8,"status":"enabled","details":{"if_sid":"4501","id":"^00002"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2961,"level":5,"status":"enabled","details":{"if_sid":"2960","group":"sudo"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group sudo."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4550,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"180","ignore":"60","if_matched_sid":"4503","same_source_ip":""},"pci_dss":["1.4","10.6.1","11.4"],"gpg13":["4.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6","SI.4"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3","CC6.1"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages from same source IP."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5303,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user root|^'su root'|","^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8","7.9"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID to root."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3330,"level":10,"status":"enabled","details":{"ignore":"240","if_sid":"3320","match":["defer service failure|Resource temporarily unavailable|","^fatal: the Postfix mail system is not running"]},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","postfix"],"description":"Postfix process error."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5302,"level":9,"status":"enabled","details":{"if_sid":"5301","user":"^root"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["authentication_failed","syslog","su"],"description":"User missed the password to change UID to root."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5404,"level":10,"status":"enabled","details":{"if_sid":"5401","match":"3 incorrect password attempts"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Three failed attempts to run sudo"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3104,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.7.1 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Attempt to use mail server as relay (550: Requested action not taken)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5108,"level":12,"status":"enabled","details":{"if_sid":"5100","match":"Out of Memory: "},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","linuxkernel"],"description":"System running out of memory. Availability of the system is in risk."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3302,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^550$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Rejected by access list (Requested action not taken)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3302,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^550$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Rejected by access list (Requested action not taken)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2503,"level":5,"status":"enabled","details":{"regex":["^refused connect from|","^libwrap refused connection|","Connection from S+ denied"]},"pci_dss":["10.2.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["access_denied","syslog","access_control"],"description":"syslog: Connection blocked by Tcp Wrappers."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3651,"level":10,"status":"enabled","details":{"frequency":"$IMAPD_FREQ","timeframe":"120","if_matched_sid":"3601","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","imapd"],"description":"Imapd Multiple failed logins from same source ip."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2503,"level":5,"status":"enabled","details":{"regex":["^refused connect from|","^libwrap refused connection|","Connection from S+ denied"]},"pci_dss":["10.2.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["access_denied","syslog","access_control"],"description":"syslog: Connection blocked by Tcp Wrappers."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":518,"level":9,"status":"enabled","details":{"if_sid":"514","match":"Adware|Spyware"},"gpg13":["4.2"],"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Lateral Movement"],"id":["T1017"],"technique":["Application Deployment Software"]},"groups":["rootcheck","wazuh"],"description":"Windows Adware/Spyware application found."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3602,"level":3,"status":"enabled","details":{"if_sid":"3600","match":"Authenticated user="},"pci_dss":["10.2.5"],"gpg13":["7.1"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","imapd"],"description":"Imapd user login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2961,"level":5,"status":"enabled","details":{"if_sid":"2960","group":"sudo"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group sudo."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":518,"level":9,"status":"enabled","details":{"if_sid":"514","match":"Adware|Spyware"},"gpg13":["4.2"],"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Lateral Movement"],"id":["T1017"],"technique":["Application Deployment Software"]},"groups":["rootcheck","wazuh"],"description":"Windows Adware/Spyware application found."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3852,"level":9,"status":"enabled","details":{"frequency":"14","timeframe":"120","ignore":"240","if_matched_sid":"3802","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail 500 error code (spam)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5303,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user root|^'su root'|","^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8","7.9"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID to root."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3352,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3302","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3302,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^550$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Rejected by access list (Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4325,"level":8,"status":"enabled","details":{"if_sid":"4313","id":"^4-405001"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","pix"],"description":"PIX: ARP collision detected."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3602,"level":3,"status":"enabled","details":{"if_sid":"3600","match":"Authenticated user="},"pci_dss":["10.2.5"],"gpg13":["7.1"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","imapd"],"description":"Imapd user login."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3306,"level":6,"status":"enabled","details":{"if_sid":"3301, 3302","match":" blocked using "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: IP Address black-listed by anti-spam (blocked)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":593,"level":9,"status":"enabled","details":{"if_sid":"500","match":"^ossec: Event log cleared"},"pci_dss":["10.5.2"],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1070"],"technique":["Indicator Removal on Host"]},"groups":["logs_cleared","wazuh"],"description":"Microsoft Event log cleared."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3602,"level":3,"status":"enabled","details":{"if_sid":"3600","match":"Authenticated user="},"pci_dss":["10.2.5"],"gpg13":["7.1"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","imapd"],"description":"Imapd user login."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3306,"level":6,"status":"enabled","details":{"if_sid":"3301, 3302","match":" blocked using "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: IP Address black-listed by anti-spam (blocked)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4506,"level":8,"status":"enabled","details":{"if_sid":"4501","id":"^00002"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3151,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3102","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Sender domain has bogus MX record. It should not be sending e-mail."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3108,"level":6,"status":"enabled","details":{"if_sid":"3100","match":"rejecting commands from"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sendmail rejected due to pre-greeting."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5104,"level":8,"status":"enabled","details":{"if_sid":"5100","regex":["Promiscuous mode enabled|","device S+ entered promiscuous mode"]},"pci_dss":["10.6.1","11.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Discovery"],"id":["T1040"],"technique":["Network Sniffing"]},"groups":["promisc","syslog","linuxkernel"],"description":"Interface entered in promiscuous(sniffing) mode."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3151,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3102","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Sender domain has bogus MX record. It should not be sending e-mail."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3335,"level":6,"status":"enabled","details":{"if_sid":"3320","match":"^too many "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: too many errors after RCPT from unknown"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3910,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"30","if_matched_sid":"3902","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","courier"],"description":"Courier brute force (multiple failed logins)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5108,"level":12,"status":"enabled","details":{"if_sid":"5100","match":"Out of Memory: "},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","linuxkernel"],"description":"System running out of memory. Availability of the system is in risk."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3651,"level":10,"status":"enabled","details":{"frequency":"$IMAPD_FREQ","timeframe":"120","if_matched_sid":"3601","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","imapd"],"description":"Imapd Multiple failed logins from same source ip."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4342,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-502101|^5-502102"},"pci_dss":["8.1.2","10.2.5"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.a.2.I","164.312.a.2.II","164.312.b"],"nist_800_53":["AC.2","IA.4","AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Initial Access"],"id":["T1089","T1133"],"technique":["Disabling Security Tools","External Remote Services"]},"groups":["adduser","account_changed","syslog","pix"],"description":"PIX: User created or modified on the Firewall."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2960,"level":2,"status":"enabled","details":{"decoded_as":"gpasswd","match":"added by"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3335,"level":6,"status":"enabled","details":{"if_sid":"3320","match":"^too many "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: too many errors after RCPT from unknown"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5404,"level":10,"status":"enabled","details":{"if_sid":"5401","match":"3 incorrect password attempts"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Three failed attempts to run sudo"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3108,"level":6,"status":"enabled","details":{"if_sid":"3100","match":"rejecting commands from"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sendmail rejected due to pre-greeting."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5404,"level":10,"status":"enabled","details":{"if_sid":"5401","match":"3 incorrect password attempts"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Three failed attempts to run sudo"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3302,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^550$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Rejected by access list (Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2960,"level":2,"status":"enabled","details":{"decoded_as":"gpasswd","match":"added by"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2503,"level":5,"status":"enabled","details":{"regex":["^refused connect from|","^libwrap refused connection|","Connection from S+ denied"]},"pci_dss":["10.2.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["access_denied","syslog","access_control"],"description":"syslog: Connection blocked by Tcp Wrappers."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3151,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3102","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Sender domain has bogus MX record. It should not be sending e-mail."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4550,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"180","ignore":"60","if_matched_sid":"4503","same_source_ip":""},"pci_dss":["1.4","10.6.1","11.4"],"gpg13":["4.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6","SI.4"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3","CC6.1"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages from same source IP."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3108,"level":6,"status":"enabled","details":{"if_sid":"3100","match":"rejecting commands from"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sendmail rejected due to pre-greeting."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3852,"level":9,"status":"enabled","details":{"frequency":"14","timeframe":"120","ignore":"240","if_matched_sid":"3802","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail 500 error code (spam)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5403,"level":4,"status":"enabled","details":{"if_sid":"5400","if_fts":""},"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"First time user executed sudo."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3108,"level":6,"status":"enabled","details":{"if_sid":"3100","match":"rejecting commands from"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sendmail rejected due to pre-greeting."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4325,"level":8,"status":"enabled","details":{"if_sid":"4313","id":"^4-405001"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","pix"],"description":"PIX: ARP collision detected."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3306,"level":6,"status":"enabled","details":{"if_sid":"3301, 3302","match":" blocked using "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: IP Address black-listed by anti-spam (blocked)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3104,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.7.1 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Attempt to use mail server as relay (550: Requested action not taken)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4325,"level":8,"status":"enabled","details":{"if_sid":"4313","id":"^4-405001"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","pix"],"description":"PIX: ARP collision detected."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5302,"level":9,"status":"enabled","details":{"if_sid":"5301","user":"^root"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["authentication_failed","syslog","su"],"description":"User missed the password to change UID to root."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3910,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"30","if_matched_sid":"3902","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","courier"],"description":"Courier brute force (multiple failed logins)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3330,"level":10,"status":"enabled","details":{"ignore":"240","if_sid":"3320","match":["defer service failure|Resource temporarily unavailable|","^fatal: the Postfix mail system is not running"]},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","postfix"],"description":"Postfix process error."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2960,"level":2,"status":"enabled","details":{"decoded_as":"gpasswd","match":"added by"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3108,"level":6,"status":"enabled","details":{"if_sid":"3100","match":"rejecting commands from"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sendmail rejected due to pre-greeting."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5404,"level":10,"status":"enabled","details":{"if_sid":"5401","match":"3 incorrect password attempts"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Three failed attempts to run sudo"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4506,"level":8,"status":"enabled","details":{"if_sid":"4501","id":"^00002"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3302,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^550$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Rejected by access list (Requested action not taken)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3904,"level":3,"status":"enabled","details":{"if_sid":"3900","match":"^LOGIN,"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","courier"],"description":"Courier (imap/pop3) authentication success."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3108,"level":6,"status":"enabled","details":{"if_sid":"3100","match":"rejecting commands from"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sendmail rejected due to pre-greeting."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2503,"level":5,"status":"enabled","details":{"regex":["^refused connect from|","^libwrap refused connection|","Connection from S+ denied"]},"pci_dss":["10.2.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["access_denied","syslog","access_control"],"description":"syslog: Connection blocked by Tcp Wrappers."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4342,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-502101|^5-502102"},"pci_dss":["8.1.2","10.2.5"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.a.2.I","164.312.a.2.II","164.312.b"],"nist_800_53":["AC.2","IA.4","AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Initial Access"],"id":["T1089","T1133"],"technique":["Disabling Security Tools","External Remote Services"]},"groups":["adduser","account_changed","syslog","pix"],"description":"PIX: User created or modified on the Firewall."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3651,"level":10,"status":"enabled","details":{"frequency":"$IMAPD_FREQ","timeframe":"120","if_matched_sid":"3601","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","imapd"],"description":"Imapd Multiple failed logins from same source ip."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4342,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-502101|^5-502102"},"pci_dss":["8.1.2","10.2.5"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.a.2.I","164.312.a.2.II","164.312.b"],"nist_800_53":["AC.2","IA.4","AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Initial Access"],"id":["T1089","T1133"],"technique":["Disabling Security Tools","External Remote Services"]},"groups":["adduser","account_changed","syslog","pix"],"description":"PIX: User created or modified on the Firewall."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3651,"level":10,"status":"enabled","details":{"frequency":"$IMAPD_FREQ","timeframe":"120","if_matched_sid":"3601","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","imapd"],"description":"Imapd Multiple failed logins from same source ip."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3104,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.7.1 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Attempt to use mail server as relay (550: Requested action not taken)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3151,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3102","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Sender domain has bogus MX record. It should not be sending e-mail."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3910,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"30","if_matched_sid":"3902","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","courier"],"description":"Courier brute force (multiple failed logins)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3102,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=451 4.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain does not have any valid MX record (Requested action aborted)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3904,"level":3,"status":"enabled","details":{"if_sid":"3900","match":"^LOGIN,"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","courier"],"description":"Courier (imap/pop3) authentication success."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":593,"level":9,"status":"enabled","details":{"if_sid":"500","match":"^ossec: Event log cleared"},"pci_dss":["10.5.2"],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1070"],"technique":["Indicator Removal on Host"]},"groups":["logs_cleared","wazuh"],"description":"Microsoft Event log cleared."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5706,"level":6,"status":"enabled","details":{"if_sid":"5700","match":"Did not receive identification string from"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1043"],"technique":["Commonly Used Port"]},"groups":["recon","syslog","sshd"],"description":"sshd: insecure connection attempt (scan)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":593,"level":9,"status":"enabled","details":{"if_sid":"500","match":"^ossec: Event log cleared"},"pci_dss":["10.5.2"],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1070"],"technique":["Indicator Removal on Host"]},"groups":["logs_cleared","wazuh"],"description":"Microsoft Event log cleared."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2960,"level":2,"status":"enabled","details":{"decoded_as":"gpasswd","match":"added by"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3104,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.7.1 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Attempt to use mail server as relay (550: Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4342,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-502101|^5-502102"},"pci_dss":["8.1.2","10.2.5"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.a.2.I","164.312.a.2.II","164.312.b"],"nist_800_53":["AC.2","IA.4","AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Initial Access"],"id":["T1089","T1133"],"technique":["Disabling Security Tools","External Remote Services"]},"groups":["adduser","account_changed","syslog","pix"],"description":"PIX: User created or modified on the Firewall."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3335,"level":6,"status":"enabled","details":{"if_sid":"3320","match":"^too many "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: too many errors after RCPT from unknown"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3151,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3102","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Sender domain has bogus MX record. It should not be sending e-mail."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3852,"level":9,"status":"enabled","details":{"frequency":"14","timeframe":"120","ignore":"240","if_matched_sid":"3802","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail 500 error code (spam)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3602,"level":3,"status":"enabled","details":{"if_sid":"3600","match":"Authenticated user="},"pci_dss":["10.2.5"],"gpg13":["7.1"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","imapd"],"description":"Imapd user login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4810,"level":3,"status":"enabled","details":{"if_sid":"4806","id":"^236$"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","sonicwall"],"description":"SonicWall: Firewall administrator login."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5403,"level":4,"status":"enabled","details":{"if_sid":"5400","if_fts":""},"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"First time user executed sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5706,"level":6,"status":"enabled","details":{"if_sid":"5700","match":"Did not receive identification string from"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1043"],"technique":["Commonly Used Port"]},"groups":["recon","syslog","sshd"],"description":"sshd: insecure connection attempt (scan)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3102,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=451 4.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain does not have any valid MX record (Requested action aborted)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3335,"level":6,"status":"enabled","details":{"if_sid":"3320","match":"^too many "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: too many errors after RCPT from unknown"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3352,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3302","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4506,"level":8,"status":"enabled","details":{"if_sid":"4501","id":"^00002"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2961,"level":5,"status":"enabled","details":{"if_sid":"2960","group":"sudo"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group sudo."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5303,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user root|^'su root'|","^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8","7.9"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID to root."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5104,"level":8,"status":"enabled","details":{"if_sid":"5100","regex":["Promiscuous mode enabled|","device S+ entered promiscuous mode"]},"pci_dss":["10.6.1","11.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Discovery"],"id":["T1040"],"technique":["Network Sniffing"]},"groups":["promisc","syslog","linuxkernel"],"description":"Interface entered in promiscuous(sniffing) mode."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3106,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.5.4 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender address does not have domain (553: Requested action not taken)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3302,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^550$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Rejected by access list (Requested action not taken)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4506,"level":8,"status":"enabled","details":{"if_sid":"4501","id":"^00002"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3352,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3302","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4550,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"180","ignore":"60","if_matched_sid":"4503","same_source_ip":""},"pci_dss":["1.4","10.6.1","11.4"],"gpg13":["4.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6","SI.4"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3","CC6.1"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages from same source IP."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4550,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"180","ignore":"60","if_matched_sid":"4503","same_source_ip":""},"pci_dss":["1.4","10.6.1","11.4"],"gpg13":["4.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6","SI.4"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3","CC6.1"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages from same source IP."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4386,"level":10,"status":"enabled","details":{"frequency":"10","timeframe":"240","if_matched_sid":"4334","same_source_ip":""},"pci_dss":["11.4","10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Initial Access"],"id":["T1110","T1133"],"technique":["Brute Force","External Remote Services"]},"groups":["authentication_failures","syslog","pix"],"description":"PIX: Multiple AAA (VPN) authentication failures."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5108,"level":12,"status":"enabled","details":{"if_sid":"5100","match":"Out of Memory: "},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","linuxkernel"],"description":"System running out of memory. Availability of the system is in risk."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5706,"level":6,"status":"enabled","details":{"if_sid":"5700","match":"Did not receive identification string from"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1043"],"technique":["Commonly Used Port"]},"groups":["recon","syslog","sshd"],"description":"sshd: insecure connection attempt (scan)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5403,"level":4,"status":"enabled","details":{"if_sid":"5400","if_fts":""},"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"First time user executed sudo."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3330,"level":10,"status":"enabled","details":{"ignore":"240","if_sid":"3320","match":["defer service failure|Resource temporarily unavailable|","^fatal: the Postfix mail system is not running"]},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","postfix"],"description":"Postfix process error."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5302,"level":9,"status":"enabled","details":{"if_sid":"5301","user":"^root"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["authentication_failed","syslog","su"],"description":"User missed the password to change UID to root."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5403,"level":4,"status":"enabled","details":{"if_sid":"5400","if_fts":""},"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"First time user executed sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5104,"level":8,"status":"enabled","details":{"if_sid":"5100","regex":["Promiscuous mode enabled|","device S+ entered promiscuous mode"]},"pci_dss":["10.6.1","11.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Discovery"],"id":["T1040"],"technique":["Network Sniffing"]},"groups":["promisc","syslog","linuxkernel"],"description":"Interface entered in promiscuous(sniffing) mode."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3302,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^550$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Rejected by access list (Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5108,"level":12,"status":"enabled","details":{"if_sid":"5100","match":"Out of Memory: "},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","linuxkernel"],"description":"System running out of memory. Availability of the system is in risk."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4342,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-502101|^5-502102"},"pci_dss":["8.1.2","10.2.5"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.a.2.I","164.312.a.2.II","164.312.b"],"nist_800_53":["AC.2","IA.4","AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Initial Access"],"id":["T1089","T1133"],"technique":["Disabling Security Tools","External Remote Services"]},"groups":["adduser","account_changed","syslog","pix"],"description":"PIX: User created or modified on the Firewall."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4506,"level":8,"status":"enabled","details":{"if_sid":"4501","id":"^00002"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3910,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"30","if_matched_sid":"3902","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","courier"],"description":"Courier brute force (multiple failed logins)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4550,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"180","ignore":"60","if_matched_sid":"4503","same_source_ip":""},"pci_dss":["1.4","10.6.1","11.4"],"gpg13":["4.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6","SI.4"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3","CC6.1"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages from same source IP."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2503,"level":5,"status":"enabled","details":{"regex":["^refused connect from|","^libwrap refused connection|","Connection from S+ denied"]},"pci_dss":["10.2.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["access_denied","syslog","access_control"],"description":"syslog: Connection blocked by Tcp Wrappers."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3102,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=451 4.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain does not have any valid MX record (Requested action aborted)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3335,"level":6,"status":"enabled","details":{"if_sid":"3320","match":"^too many "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: too many errors after RCPT from unknown"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5706,"level":6,"status":"enabled","details":{"if_sid":"5700","match":"Did not receive identification string from"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1043"],"technique":["Commonly Used Port"]},"groups":["recon","syslog","sshd"],"description":"sshd: insecure connection attempt (scan)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5304,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user|succeeded for|","^+|^S+ to |^SU S+ S+ + "]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3852,"level":9,"status":"enabled","details":{"frequency":"14","timeframe":"120","ignore":"240","if_matched_sid":"3802","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail 500 error code (spam)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3302,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^550$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Rejected by access list (Requested action not taken)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3852,"level":9,"status":"enabled","details":{"frequency":"14","timeframe":"120","ignore":"240","if_matched_sid":"3802","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail 500 error code (spam)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3306,"level":6,"status":"enabled","details":{"if_sid":"3301, 3302","match":" blocked using "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: IP Address black-listed by anti-spam (blocked)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5402,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo to ROOT executed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":518,"level":9,"status":"enabled","details":{"if_sid":"514","match":"Adware|Spyware"},"gpg13":["4.2"],"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Lateral Movement"],"id":["T1017"],"technique":["Application Deployment Software"]},"groups":["rootcheck","wazuh"],"description":"Windows Adware/Spyware application found."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2961,"level":5,"status":"enabled","details":{"if_sid":"2960","group":"sudo"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4386,"level":10,"status":"enabled","details":{"frequency":"10","timeframe":"240","if_matched_sid":"4334","same_source_ip":""},"pci_dss":["11.4","10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Initial Access"],"id":["T1110","T1133"],"technique":["Brute Force","External Remote Services"]},"groups":["authentication_failures","syslog","pix"],"description":"PIX: Multiple AAA (VPN) authentication failures."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5113,"level":7,"status":"enabled","details":{"if_sid":"5100","match":"Kernel log daemon terminating"},"pci_dss":["10.6.1"],"gpg13":["4.14"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1529"],"technique":["System Shutdown/Reboot"]},"groups":["system_shutdown","syslog","linuxkernel"],"description":"System is shutting down."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3306,"level":6,"status":"enabled","details":{"if_sid":"3301, 3302","match":" blocked using "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: IP Address black-listed by anti-spam (blocked)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3156,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"120","if_matched_sid":"3107","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple rejected e-mails from same source ip."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4386,"level":10,"status":"enabled","details":{"frequency":"10","timeframe":"240","if_matched_sid":"4334","same_source_ip":""},"pci_dss":["11.4","10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Initial Access"],"id":["T1110","T1133"],"technique":["Brute Force","External Remote Services"]},"groups":["authentication_failures","syslog","pix"],"description":"PIX: Multiple AAA (VPN) authentication failures."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3153,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3104","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple relaying attempts of spam."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3154,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3105","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3301,"level":6,"status":"enabled","details":{"if_sid":"3300","id":"^554$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Attempt to use mail server as relay (client host rejected)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":518,"level":9,"status":"enabled","details":{"if_sid":"514","match":"Adware|Spyware"},"gpg13":["4.2"],"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Lateral Movement"],"id":["T1017"],"technique":["Application Deployment Software"]},"groups":["rootcheck","wazuh"],"description":"Windows Adware/Spyware application found."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3602,"level":3,"status":"enabled","details":{"if_sid":"3600","match":"Authenticated user="},"pci_dss":["10.2.5"],"gpg13":["7.1"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","imapd"],"description":"Imapd user login."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4505,"level":11,"status":"enabled","details":{"if_sid":"4503","id":"^00027"},"pci_dss":["1.4","10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["SC.7","AU.6"],"tsc":["CC6.7","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1485"],"technique":["Data Destruction"]},"groups":["service_availability","netscreenfw"],"description":"Netscreen Erase sequence started."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0045-mailscanner_rules.xml","relative_dirname":"ruleset/rules","id":3751,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"3702","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Collection"],"id":["T1110","T1114"],"technique":["Brute Force","Email Collection"]},"groups":["multiple_spam","syslog","mailscanner"],"description":"mailscanner: Multiple attempts of spam."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3103,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.0.0 |reject=553 5.3.0"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Rejected by access list (55x: Requested action not taken)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5401,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"incorrect password attempt"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Failed attempt to run sudo."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":550,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_integrity_changed"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Integrity checksum changed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2961,"level":5,"status":"enabled","details":{"if_sid":"2960","group":"sudo"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group sudo."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4325,"level":8,"status":"enabled","details":{"if_sid":"4313","id":"^4-405001"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","pix"],"description":"PIX: ARP collision detected."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5303,"level":3,"status":"enabled","details":{"if_sid":"5300","regex":["session opened for user root|^'su root'|","^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]},"pci_dss":["10.2.5"],"gpg13":["7.6","7.8","7.9"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","su"],"description":"User successfully changed UID to root."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3306,"level":6,"status":"enabled","details":{"if_sid":"3301, 3302","match":" blocked using "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: IP Address black-listed by anti-spam (blocked)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5706,"level":6,"status":"enabled","details":{"if_sid":"5700","match":"Did not receive identification string from"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1043"],"technique":["Commonly Used Port"]},"groups":["recon","syslog","sshd"],"description":"sshd: insecure connection attempt (scan)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3303,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^450$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Sender domain is not found (450: Requested mail action not taken)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5631,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"120","if_matched_sid":"5602","same_source_ip":""},"gdpr":["IV_35.7.d","IV_32.2"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","telnetd"],"description":"telnetd: Multiple connection attempts from same source (possible scan)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":1003,"level":13,"status":"enabled","details":{"maxsize":"1025","noalert":"1"},"gpg13":["4.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","errors"],"description":"Non standard syslog message (size too large)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4507,"level":8,"status":"enabled","details":{"if_sid":"4502","id":"^00515"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4810,"level":3,"status":"enabled","details":{"if_sid":"4806","id":"^236$"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","sonicwall"],"description":"SonicWall: Firewall administrator login."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2301,"level":10,"status":"enabled","details":{"match":"^Deactivating service "},"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","xinetd"],"description":"xinetd: Excessive number connections to a service."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3904,"level":3,"status":"enabled","details":{"if_sid":"3900","match":"^LOGIN,"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","courier"],"description":"Courier (imap/pop3) authentication success."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5705,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5704"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access","Credential Access"],"id":["T1190","T1110"],"technique":["Exploit Public-Facing Application","Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible scan or breakin attempt (high number of login timeouts)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2960,"level":2,"status":"enabled","details":{"decoded_as":"gpasswd","match":"added by"},"gpg13":["7.9","4.13"],"gdpr":["IV_32.2"],"mitre":{"tactic":["Persistence"],"id":["T1136"],"technique":["Create Account"]},"groups":["syslog","yum"],"description":"User added to group."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4810,"level":3,"status":"enabled","details":{"if_sid":"4806","id":"^236$"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","sonicwall"],"description":"SonicWall: Firewall administrator login."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5703,"level":10,"status":"enabled","details":{"frequency":"6","timeframe":"360","if_matched_sid":"5702","same_source_ip":""},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["syslog","sshd"],"description":"sshd: Possible breakin attempt (high number of reverse lookup errors)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4325,"level":8,"status":"enabled","details":{"if_sid":"4313","id":"^4-405001"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","pix"],"description":"PIX: ARP collision detected."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3352,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3302","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":593,"level":9,"status":"enabled","details":{"if_sid":"500","match":"^ossec: Event log cleared"},"pci_dss":["10.5.2"],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1070"],"technique":["Indicator Removal on Host"]},"groups":["logs_cleared","wazuh"],"description":"Microsoft Event log cleared."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":553,"level":7,"status":"enabled","details":{"category":"wazuh","decoded_as":"syscheck_deleted"},"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"File deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0075-cisco-ios_rules.xml","relative_dirname":"ruleset/rules","id":4722,"level":3,"status":"enabled","details":{"if_sid":"4715","id":"^%SEC_LOGIN-5-LOGIN_SUCCESS"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","cisco_ios"],"description":"Cisco IOS: Successful login to the router."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3158,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3108","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple pre-greetings rejects."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3108,"level":6,"status":"enabled","details":{"if_sid":"3100","match":"rejecting commands from"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sendmail rejected due to pre-greeting."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":518,"level":9,"status":"enabled","details":{"if_sid":"514","match":"Adware|Spyware"},"gpg13":["4.2"],"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Lateral Movement"],"id":["T1017"],"technique":["Application Deployment Software"]},"groups":["rootcheck","wazuh"],"description":"Windows Adware/Spyware application found."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2504,"level":9,"status":"enabled","details":{"match":"ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"},"pci_dss":["10.2.4","10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["invalid_login","syslog","access_control"],"description":"syslog: Illegal root login."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4386,"level":10,"status":"enabled","details":{"frequency":"10","timeframe":"240","if_matched_sid":"4334","same_source_ip":""},"pci_dss":["11.4","10.2.4","10.2.5"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access","Initial Access"],"id":["T1110","T1133"],"technique":["Brute Force","External Remote Services"]},"groups":["authentication_failures","syslog","pix"],"description":"PIX: Multiple AAA (VPN) authentication failures."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2503,"level":5,"status":"enabled","details":{"regex":["^refused connect from|","^libwrap refused connection|","Connection from S+ denied"]},"pci_dss":["10.2.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["access_denied","syslog","access_control"],"description":"syslog: Connection blocked by Tcp Wrappers."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4509,"level":8,"status":"enabled","details":{"if_sid":"4504","id":"^00767"},"pci_dss":["1.1.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1"],"nist_800_53":["CM.3","CM.5"],"tsc":["CC8.1"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","netscreenfw"],"description":"Netscreen firewall: configuration changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4506,"level":8,"status":"enabled","details":{"if_sid":"4501","id":"^00002"},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","netscreenfw"],"description":"Netscreen firewall: Successfull admin login"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3910,"level":10,"status":"enabled","details":{"frequency":"12","timeframe":"30","if_matched_sid":"3902","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","courier"],"description":"Courier brute force (multiple failed logins)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2502,"level":10,"status":"enabled","details":{"match":"more authentication failures;|REPEATED login failures"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failed","syslog","access_control"],"description":"syslog: User missed the password more than one time"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0090-telnetd_rules.xml","relative_dirname":"ruleset/rules","id":5601,"level":5,"status":"enabled","details":{"if_sid":"5600","match":"refused connect from "},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","telnetd"],"description":"telnetd: Connection refused by TCP Wrappers."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":505,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent removed"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent removed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4323,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-605005"},"pci_dss":["10.2.5"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: Successful login."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":594,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"550","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["syscheck","wazuh"],"description":"Registry Integrity Checksum Changed"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3104,"level":6,"status":"enabled","details":{"if_sid":"3101","match":"reject=550 5.7.1 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Attempt to use mail server as relay (550: Requested action not taken)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4335,"level":3,"status":"enabled","details":{"if_sid":"4314","id":"^6-113004"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","pix"],"description":"PIX: AAA (VPN) authentication successful."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5108,"level":12,"status":"enabled","details":{"if_sid":"5100","match":"Out of Memory: "},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","linuxkernel"],"description":"System running out of memory. Availability of the system is in risk."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3353,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3303","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4337,"level":8,"status":"enabled","details":{"if_sid":"4312","id":"^3-201008"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["service_availability","syslog","pix"],"description":"PIX: The PIX is disallowing new connections."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0040-imapd_rules.xml","relative_dirname":"ruleset/rules","id":3602,"level":3,"status":"enabled","details":{"if_sid":"3600","match":"Authenticated user="},"pci_dss":["10.2.5"],"gpg13":["7.1"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","imapd"],"description":"Imapd user login."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":504,"level":3,"status":"enabled","details":{"if_sid":"500","match":"Agent disconnected"},"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["wazuh"],"description":"Ossec agent disconnected."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3355,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3305","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5706,"level":6,"status":"enabled","details":{"if_sid":"5700","match":"Did not receive identification string from"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1043"],"technique":["Commonly Used Port"]},"groups":["recon","syslog","sshd"],"description":"sshd: insecure connection attempt (scan)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4810,"level":3,"status":"enabled","details":{"if_sid":"4806","id":"^236$"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","sonicwall"],"description":"SonicWall: Firewall administrator login."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4336,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^6-113006"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.1","7.5"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1133"],"technique":["External Remote Services"]},"groups":["authentication_failed","syslog","pix"],"description":"PIX: AAA (VPN) user locked out."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3102,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=451 4.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain does not have any valid MX record (Requested action aborted)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2503,"level":5,"status":"enabled","details":{"regex":["^refused connect from|","^libwrap refused connection|","Connection from S+ denied"]},"pci_dss":["10.2.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["access_denied","syslog","access_control"],"description":"syslog: Connection blocked by Tcp Wrappers."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2833,"level":8,"status":"enabled","details":{"if_sid":"2832","match":"^(root)"},"pci_dss":["10.2.7","10.6.1","10.2.2"],"gpg13":["4.13"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","cron"],"description":"Root's crontab entry changed."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3105,"level":5,"status":"enabled","details":{"if_sid":"3101","match":"reject=553 5.1.8 "},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","sendmail"],"description":"sendmail: Sender domain is not found (553: Requested action not taken)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5302,"level":9,"status":"enabled","details":{"if_sid":"5301","user":"^root"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["authentication_failed","syslog","su"],"description":"User missed the password to change UID to root."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3396,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"verification"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: hostname verification failed"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":597,"level":5,"status":"enabled","details":{"category":"wazuh","if_sid":"553","hostname":"syscheck-registry"},"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion","Impact"],"id":["T1107","T1485"],"technique":["File Deletion","Data Destruction"]},"groups":["syscheck","wazuh"],"description":"Registry Entry Deleted."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":593,"level":9,"status":"enabled","details":{"if_sid":"500","match":"^ossec: Event log cleared"},"pci_dss":["10.5.2"],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1070"],"technique":["Indicator Removal on Host"]},"groups":["logs_cleared","wazuh"],"description":"Microsoft Event log cleared."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3398,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"MAIL|does not resolve to address"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Illegal address from unknown sender"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3335,"level":6,"status":"enabled","details":{"if_sid":"3320","match":"^too many "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: too many errors after RCPT from unknown"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5405,"level":5,"status":"enabled","details":{"if_sid":"5400","match":"user NOT in sudoers"},"pci_dss":["10.2.2","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Unauthorized user attempted to use sudo."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5404,"level":10,"status":"enabled","details":{"if_sid":"5401","match":"3 incorrect password attempts"},"pci_dss":["10.2.4","10.2.5"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Three failed attempts to run sudo"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4851,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"4803"},"pci_dss":["10.6.1"],"gpg13":["3.5"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","sonicwall"],"description":"SonicWall: Multiple firewall error messages."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3911,"level":10,"status":"enabled","details":{"frequency":"17","timeframe":"30","if_matched_sid":"3901","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["recon","syslog","courier"],"description":"Courier: Multiple connection attempts from same source."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4325,"level":8,"status":"enabled","details":{"if_sid":"4313","id":"^4-405001"},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Command and Control"],"id":["T1095"],"technique":["Standard Non-Application Layer Protocol"]},"groups":["syslog","pix"],"description":"PIX: ARP collision detected."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4339,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111003"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration deleted."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3304,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^503$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3357,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","ignore":"60","if_matched_sid":"3332","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","syslog","postfix"],"description":"Postfix: Multiple SASL authentication failures."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5133,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"PKCS#7 signature not signed with a trusted key"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Signed but untrusted kernel module was loaded"},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2964,"level":10,"status":"enabled","details":{"frequency":"4","timeframe":"30","if_matched_sid":"2963","same_source_ip":""},"pci_dss":["11.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["recon","syslog","perdition"],"description":"perdition: Multiple connection attempts from same source."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3152,"level":6,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3103","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5108,"level":12,"status":"enabled","details":{"if_sid":"5100","match":"Out of Memory: "},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["service_availability","syslog","linuxkernel"],"description":"System running out of memory. Availability of the system is in risk."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3151,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3102","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Sender domain has bogus MX record. It should not be sending e-mail."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":593,"level":9,"status":"enabled","details":{"if_sid":"500","match":"^ossec: Event log cleared"},"pci_dss":["10.5.2"],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1070"],"technique":["Indicator Removal on Host"]},"groups":["logs_cleared","wazuh"],"description":"Microsoft Event log cleared."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3335,"level":6,"status":"enabled","details":{"if_sid":"3320","match":"^too many "},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: too many errors after RCPT from unknown"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5103,"level":9,"status":"enabled","details":{"if_sid":"5100","match":"Oversized packet received from"},"gdpr":["IV_35.7.d"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["syslog","linuxkernel"],"description":"Error message from the kernel. Ping of death attack."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5132,"level":11,"status":"enabled","details":{"if_sid":"5100","match":"module verification failed"},"mitre":{"tactic":["Persistence"],"id":["T1215"],"technique":["Kernel Modules and Extensions"]},"groups":["syslog","linuxkernel"],"description":"Unsigned kernel module was loaded"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","if_matched_sid":"5503","same_source_ip":""},"pci_dss":["10.2.4","10.2.5","11.4"],"gpg13":["7.8"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Credential Access"],"id":["T1110"],"technique":["Brute Force"]},"groups":["authentication_failures","pam","syslog"],"description":"PAM: Multiple failed logins in a small period of time."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0065-pix_rules.xml","relative_dirname":"ruleset/rules","id":4340,"level":8,"status":"enabled","details":{"if_sid":"4314","id":"^5-111005|^5-111004|^5-111002|^5-111007"},"pci_dss":["1.1.1","10.4"],"gpg13":["4.13"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.a.1","164.312.b"],"nist_800_53":["CM.3","CM.5","AU.8"],"tsc":["CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1089"],"technique":["Disabling Security Tools"]},"groups":["config_changed","syslog","pix"],"description":"PIX: Firewall configuration changed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3155,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"120","if_matched_sid":"3106","same_source_ip":""},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","sendmail"],"description":"sendmail: Multiple attempts to send e-mail from invalid/unknown sender."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0085-pam_rules.xml","relative_dirname":"ruleset/rules","id":5501,"level":3,"status":"enabled","details":{"if_sid":"5500","match":"session opened for user "},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","pam","syslog"],"description":"PAM: Login session opened."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0050-ms-exchange_rules.xml","relative_dirname":"ruleset/rules","id":3851,"level":9,"status":"enabled","details":{"frequency":"12","timeframe":"120","ignore":"120","if_matched_sid":"3801","same_source_ip":""},"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","ms","exchange"],"description":"ms-exchange: Multiple e-mail attempts to an invalid account."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3397,"level":6,"status":"enabled","details":{"if_sid":"3395","match":"RBL"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: RBL lookup error: Host or domain name not found"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3351,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"90","if_matched_sid":"3301","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple relaying attempts of spam."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":593,"level":9,"status":"enabled","details":{"if_sid":"500","match":"^ossec: Event log cleared"},"pci_dss":["10.5.2"],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2","CC7.3"],"mitre":{"tactic":["Defense Evasion"],"id":["T1070"],"technique":["Indicator Removal on Host"]},"groups":["logs_cleared","wazuh"],"description":"Microsoft Event log cleared."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0055-courier_rules.xml","relative_dirname":"ruleset/rules","id":3904,"level":3,"status":"enabled","details":{"if_sid":"3900","match":"^LOGIN,"},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","courier"],"description":"Courier (imap/pop3) authentication success."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0070-netscreenfw_rules.xml","relative_dirname":"ruleset/rules","id":4551,"level":10,"status":"enabled","details":{"frequency":"8","timeframe":"180","ignore":"60","if_matched_sid":"4503"},"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["netscreenfw"],"description":"Netscreen firewall: Multiple critical messages."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":5407,"level":3,"status":"enabled","details":{"if_sid":"5400","regex":" ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="},"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Privilege Escalation"],"id":["T1169"],"technique":["Sudo"]},"groups":["syslog","sudo"],"description":"Successful sudo executed."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0095-sshd_rules.xml","relative_dirname":"ruleset/rules","id":5701,"level":8,"status":"enabled","details":{"if_sid":"5700","match":"Bad protocol version identification"},"pci_dss":["11.4"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1190"],"technique":["Exploit Public-Facing Application"]},"groups":["recon","syslog","sshd"],"description":"sshd: Possible attack on the ssh server (or version gathering)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3352,"level":6,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3302","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection","Impact"],"id":["T1114","T1499"],"technique":["Email Collection","Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3354,"level":12,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","if_matched_sid":"3304","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple misuse of SMTP service (bad sequence of commands)."},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0020-syslog_rules.xml","relative_dirname":"ruleset/rules","id":2551,"level":10,"status":"enabled","details":{"if_sid":"2550","regex":"^Connection from S+ on illegal port$"},"pci_dss":["10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"],"mitre":{"tactic":["Discovery"],"id":["T1046"],"technique":["Network Service Scanning"]},"groups":["connection_attempt","syslog","access_control"],"description":"Connection to rshd from unprivileged port. Possible network scan."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0015-ossec_rules.xml","relative_dirname":"ruleset/rules","id":592,"level":8,"status":"enabled","details":{"if_sid":"500","match":"^ossec: File size reduced"},"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1492"],"technique":["Stored Data Manipulation"]},"groups":["attacks","wazuh"],"description":"Log file size reduced."},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3356,"level":10,"status":"enabled","details":{"frequency":"$POSTFIX_FREQ","timeframe":"120","ignore":"30","if_matched_sid":"3306","same_source_ip":""},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Impact"],"id":["T1499"],"technique":["Endpoint Denial of Service"]},"groups":["multiple_spam","syslog","postfix"],"description":"Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0030-postfix_rules.xml","relative_dirname":"ruleset/rules","id":3305,"level":5,"status":"enabled","details":{"if_sid":"3300","id":"^504$"},"pci_dss":["10.6.1","11.4"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","SI.4"],"tsc":["CC7.2","CC7.3","CC6.1","CC6.8"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["spam","syslog","postfix"],"description":"Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"EventChannel"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0080-sonicwall_rules.xml","relative_dirname":"ruleset/rules","id":4810,"level":3,"status":"enabled","details":{"if_sid":"4806","id":"^236$"},"pci_dss":["10.2.5"],"gpg13":["3.6"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Initial Access"],"id":["T1078"],"technique":["Valid Accounts"]},"groups":["authentication_success","syslog","sonicwall"],"description":"SonicWall: Firewall administrator login."},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/auth.log"} +{"@sampledata":true,"timestamp":"dateToChange","rule":{"filename":"0025-sendmail_rules.xml","relative_dirname":"ruleset/rules","id":3191,"level":6,"status":"enabled","details":{"if_sid":"3190","match":"^sender check failed|^sender check tempfailed"},"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"],"mitre":{"tactic":["Collection"],"id":["T1114"],"technique":["Email Collection"]},"groups":["smf-sav","spam","syslog","sendmail"],"description":"sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"/var/log/secure"} \ No newline at end of file